1 Crypto

Part I: Crypto
Part 1
Cryptography
Chapter 2: Crypto Basics

MXDXBVTZWVMXNSPBQXLIMSCCSGXSCJXBOVQXCJZMOJZCVC
TVWJCZAAXZBCSSCJXBQCJZCOJZCNSPOXBXSBTVWJC
JZDXGXXMOZQMSCSCJXBOVQXCJZMOJZCNSPJZHGXXMOSPLH
JZDXZAAXZBXHCSCJXTCSGXSCJXBOVQX
plaintext from Lewis Carroll, Alice in Wonderland
The solution is by no means so difficult as you might

be led to imagine from the first hasty inspection of the characters.
These characters, as any one might readily guess,
form a cipher that is to say, they convey a meaning
Edgar Allan Poe, The Gold Bug
Part 1
Cryptography
Crypto
Cryptology
The art and science of

making and breaking secret codes
Cryptography
making secret
codes
Cryptanalysis
breaking secret
codes
Crypto
all of the above (and more)
Part 1
Cryptography
How to Speak Crypto

A cipher or cryptosystem is used to encrypt
the plaintext
The result of encryption is ciphertext
We decrypt ciphertext to recover plaintext
A key is used to configure a cryptosystem
A symmetric key cryptosystem uses the same
key to encrypt as to decrypt
A public key cryptosystem uses a public key
to encrypt and a private key to decrypt
Part 1
Cryptography
Crypto
Basic assumptions
o The system is completely known to the attacker

o Only the key is secret
o That is, crypto algorithms are not secret
This is known as Kerckhoffs Principle

Why do we make such an assumption?
o Experience has shown that secret algorithms
tend to be weak when exposed

o Secret algorithms never remain secret
o Better to find weaknesses beforehand
Part 1
Cryptography
Crypto as Black Box
plaintext
key
key
encrypt
decrypt
plaintext
ciphertext
A generic view of symmetric key crypto

Part 1
Cryptography
Simple Substitution
Plaintext:
fourscoreandsevenyearsago
Key:
Plaintext
a b c d e f g h i j k l mn o p q r s t u v wx y z
Ciphertext D E F G H I J K L M N O P Q R S T U V WX Y Z A B C
Ciphertext:
IRXUVFRUHDQGVHYHQBHDUVDJR
Shift by 3 is Caesars cipher
Part 1
Cryptography
Ceasars Cipher Decryption

Suppose
we know a Caesars cipher is

being used:
Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext D E F G H I J K L M N O P Q R S T U V WX Y Z A B C
Given
ciphertext:
VSRQJHEREVTXDUHSDQWV
Plaintext:
Part 1
Cryptography
spongebobsquarepants
8
Not-so-Simple Substitution
Shift
by n for some n {0,1,2,

,25}
Then key is n
Example: key n = 7
Ciphertext HI J K L M N O P Q R S T U V WX Y Z A B C D E F G
Part 1
Cryptography
Cryptanalysis I: Try Them All
A simple substitution (shift by n) is used

o But the key is unknown
Given ciphertext: CSYEVIXIVQMREXIH

How to find the key?
Only 26 possible keys
try them all!
Exhaustive key search
Solution: key is n = 4
Part 1
Cryptography
10
Simple Substitution: General Case
In general, simple substitution key can be

any permutation of letters
o Not necessarily a shift of the alphabet
For example
Ciphertext J I C A X S E Y V D K WB Q T Z R H F M P N U L G O
Then 26! > 288 possible keys
Part 1
Cryptography
11
Cryptanalysis II: Be Clever

We know that a simple substitution is used
But not necessarily a shift by n
Find the key given the ciphertext:
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOX
BTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQ
WAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGD
PEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTY
FTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQV
APBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHF
QAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWF
LQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFH
XAFQHEFZQWGFLVWPTOFFA
Part 1
Cryptography
12
Cryptanalysis II
Cannot try all 288 simple substitution keys
Can we be more clever?
English letter frequency counts
0.14
0.12
0.10
0.08
0.06
0.04
0.02
0.00
Part 1
A B C D E
F G H I
Cryptography
J K
L M N O P Q R S T U V W X Y Z
13
Cryptanalysis II
Ciphertext:
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQ
WAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQ
VXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFH
XZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQW
AQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYY
DZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFF
ACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFH
FQAITIXPFHXAFQHEFZQWGFLVWPTOFFA
Analyze this message using statistics below
Ciphertext frequency counts:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
21 26 6
10 12 51 10 25 10 9
Part 1
Cryptography
10 0
15 28 42 0
27 4
24 22 28 6
14
Cryptanalysis: Terminology
Cryptosystem
is secure if best know

attack is to try all keys
o Exhaustive key search, that is
is insecure if any
shortcut attack is known
But then insecure cipher might be
harder to break than a secure cipher!
Cryptosystem
o What the ?
Part 1
Cryptography
15
Double Transposition
Plaintext:
attackxatxdawn
Permute rows
and columns
Ciphertext:
xtawxnattxadakc
Key is matrix size and permutations:
(3,5,1,4,2) and (1,3,2)
Part 1
Cryptography
16
One-Time Pad: Encryption
e=000
h=001
i=010
k=011
l=100
r=101
s=110
t=111
Encryption: Plaintext Key = Ciphertext
Plaintext: 001 000 010 100 001 010 111 100 000 101
Key: 111 101 110 101 111 100 000 101 110 000
Ciphertext: 110 101 100 001 110 110 111 001 110 101
s
Part 1
Cryptography
r
17
One-Time Pad: Decryption
e=000
h=001
i=010
k=011
l=100
r=101
s=110
t=111
Decryption: Ciphertext Key = Plaintext
Ciphertext: 110 101 100 001 110 110 111 001 110 101
Key: 111 101 110 101 111 100 000 101 110 000
Plaintext: 001 000 010 100 001 010 111 100 000 101
h
Part 1
Cryptography
r
18
One-Time Pad
Double agent claims following key was used:
s
Ciphertext: 110 101 100 001 110 110 111 001 110 101
key: 101 111 000 101 111 100 000 101 110 000
Plaintext: 011 010 100 100 001 010 111 100 000 101
e=000
k
h=001
Part 1
i=010
Cryptography
l
k=011
l=100
i
r=101
l
s=110
t=111
19
One-Time Pad
Or claims the key is
s
Ciphertext: 110 101 100 001 110 110 111 001 110 101
key: 111 101 000 011 101 110 001 011 101 101
Plaintext: 001 000 100 010 011 000 110 010 011 000
e=000
h
h=001
Part 1
i=010
Cryptography
l
k=011
l=100
e
r=101
i
s=110
t=111
20
One-Time Pad Summary
Provably secure
o Ciphertext provides no info about plaintext

o All plaintexts are equally likely
BUT, only when be used correctly
o Pad must be random, used only once

o Pad is known only to sender and receiver
Note: pad (key) is same size as message

So, why not distribute msg instead of pad?
Part 1
Cryptography
21
Real-World One-Time Pad
Project VENONA
o Encrypted spy messages from U.S. to Moscow in
30s, 40s, and 50s

o Nuclear espionage, etc.
o Thousands of messages
Spy carried one-time pad into U.S.

Spy used pad to encrypt secret messages
Repeats within the one-time pads made
cryptanalysis possible
Part 1
Cryptography
22
VENONA Decrypt (1944)

[C% Ruth] learned that her husband [v] was called up by the army but
he was not sent to the front. He is a mechanical engineer and is now
working at the ENORMOUS [ENORMOZ] [vi] plant in SANTA FE, New
Mexico. [45 groups unrecoverable]
detain VOLOK [vii] who is working in a plant on ENORMOUS. He is a
FELLOWCOUNTRYMAN [ZEMLYaK] [viii]. Yesterday he learned that
they had dismissed him from his work. His active work in progressive
organizations in the past was cause of his dismissal. In the
FELLOWCOUNTRYMAN line LIBERAL is in touch with CHESTER [ix].
They meet once a month for the payment of dues. CHESTER is
interested in whether we are satisfied with the collaboration and
whether there are not any misunderstandings. He does not inquire
about specific items of work [KONKRETNAYa RABOTA]. In as much
as CHESTER knows about the role of LIBERAL's group we beg
consent to ask C. through LIBERAL about leads from among people
who are working on ENOURMOUS and in other technical fields.
Ruth == Ruth Greenglass

Liberal == Julius Rosenberg
Enormous == the atomic bomb
Part 1
Cryptography
23
Codebook Cipher
Literally, a book filled with codewords
Zimmerman Telegram encrypted via codebook
Februar
fest
finanzielle
folgender
Frieden
Friedenschluss
:
:
13605
13732
13850
13918
17142
17149
Modern block ciphers are codebooks!

More about this later
Part 1
Cryptography
24
Codebook Cipher: Additive

Codebooks
also (usually) use additive

Additive
book of random numbers
o
o
o
o
o
Encrypt message with codebook

Then choose position in additive book
Add in additive to get ciphertext
Send ciphertext and additive position (MI)
Recipient subtracts additives before
decrypting
Why
Part 1
use an additive sequence?
Cryptography
25
Zimmerman
Telegram
Perhaps most
famous codebook
ciphertext ever
A major factor in
U.S. entry into
World War I
Part 1
Cryptography
26
Zimmerman
Telegram
Decrypted
British had
recovered
partial
codebook
Then able to
fill in missing
parts
Part 1
Cryptography
27
Random Historical Items

Crypto
timeline
Spartan
Scytale
transposition
cipher
Caesars cipher
Poes short story: The Gold Bug
Election of 1876
Part 1
Cryptography
28
Election of 1876
Rutherfraud Hayes vs Swindling Tilden

o Popular vote was virtual tie
Electoral college delegations for 4 states

(including Florida) in dispute
Commission gave all 4 states to Hayes
o Voted on straight party lines
Tilden accused Hayes of bribery

o Was it true?
Part 1
Cryptography
29
Election of 1876
Encrypted messages by Tilden supporters
later emerged
Cipher: Partial codebook, plus transposition
Codebook substitution for important words
ciphertext
Copenhagen
Greece
Rochester
Russia
Warsaw
:
Part 1
Cryptography
plaintext
Greenbacks
Hayes
votes
Tilden
telegram
:
30
Election of 1876
Apply codebook to original message
Pad message to multiple of 5 words (total
length, 10,15,20,25 or 30 words)
For each length, a fixed permutation
applied to resulting message
Permutations found by comparing several
messages of same length
Note that the same key is applied to all
messages of a given length
Part 1
Cryptography
31
Election of 1876
Ciphertext: Warsaw they read all
unchanged last are idiots cant situation
Codebook: Warsaw telegram
Transposition: 9,3,6,1,10,5,2,7,4,8
Plaintext: Cant read last telegram.
Situation unchanged. They are all idiots.
A weak cipher made worse by reuse of key
Lesson? Dont overuse keys!
Part 1
Cryptography
32
Early 20th Century

WWI Zimmerman Telegram
Gentlemen do not read each others mail
o Henry L. Stimson, Secretary of State, 1929
WWII
golden age of cryptanalysis
o Midway/Coral Sea
o Japanese Purple (codename MAGIC)
o German Enigma (codename ULTRA)
Part 1
Cryptography
33
Post-WWII History
Claude Shannon father of the science of
information theory
Computer revolution
lots of data to protect
Data Encryption Standard (DES), 70s
Public Key cryptography, 70s
CRYPTO conferences, 80s
Advanced Encryption Standard (AES), 90s
The crypto genie is out of the bottle
Part 1
Cryptography
34
Claude Shannon
The father of Information Theory
1949 paper:
Comm. Thy. of Secrecy Systems
Fundamental concepts
o Confusion
obscure relationship between

plaintext and ciphertext
o Diffusion spread plaintext statistics through
the ciphertext
Proved one-time pad is secure

One-time pad is confusion-only, while double
transposition is diffusion-only
Part 1
Cryptography
35
Taxonomy of Cryptography
Symmetric Key
o Same key for encryption and decryption

o Modern types: Stream ciphers, Block ciphers
Public Key (or asymmetric crypto)
o Two keys, one for encryption (public), and one
for decryption (private)

o And digital signatures nothing comparable in
symmetric key crypto
Hash algorithms
o Can be viewed as one way crypto
Part 1
Cryptography
36
Taxonomy of Cryptanalysis
From perspective of info available to Trudy

o Ciphertext only
o Known plaintext
o Chosen plaintext
o
o
o
o
Trudys worst case scenario
Lunchtime attack
Some protocols will encrypt chosen data
Adaptively chosen plaintext
Related key
Forward search (public key crypto)
And others
Part 1
Cryptography
37
Chapter 3:
Symmetric Key Crypto
The chief forms of beauty are order and symmetry
Aristotle
You boil it in sawdust: you salt it in glue:
You condense it with locusts and tape:
Still keeping one principal object in view
To preserve its symmetrical shape.
Lewis Carroll, The Hunting of the Snark
Part 1
Cryptography
38
Symmetric Key Crypto
Stream cipher
generalize one-time pad
o Except that key is relatively short

o Key is stretched into a long keystream
o Keystream is used just like a one-time pad
Block cipher
generalized codebook
o Block cipher key determines a codebook

o Each key yields a different codebook
o Employs both confusion and diffusion
Part 1
Cryptography
39
Stream Ciphers
Part 1
Cryptography
40
Stream Ciphers
Once upon a time, not so very long ago
stream ciphers were the king of crypto
Today, not as popular as block ciphers
Well discuss two stream ciphers:
A5/1
o Based on shift registers

o Used in GSM mobile phone system
RC4
o Based on a changing lookup table

o Used many places
Part 1
Cryptography
41
A5/1: Shift Registers

A5/1
uses 3 shift registers
o X: 19 bits (x0,x1,x2, ,x18)
o Y: 22 bits (y0,y1,y2, ,y21)

o Z: 23 bits (z0,z1,z2, ,z22)
Part 1
Cryptography
42
A5/1: Keystream
At each iteration: m = maj(x8, y10, z10)
o Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1
If x8 = m then X steps
o t = x13 x16 x17 x18

o xi = xi1 for i = 18,17,,1 and x0 = t
If y10 = m then Y steps
o t = y20 y21
o yi = yi1 for i = 21,20,,1 and y0 = t
If z10 = m then Z steps
o t = z7 z20 z21 z22

o zi = zi1 for i = 22,21,,1 and z0 = t
Keystream
bit is x18 y21 z22
Cryptography
Part 1
43
A5/1
X
x0
x1
x2
x3
x4
x5
x6
x7
x8
x9
x10
x11
x12
x13
x14
x15
x16
x17
x18
y0
y1
y2
y3
y4
y5
y6
y7
y8
y9
y10 y11 y12 y13 y14 y15 y16 y17 y18 y19 y20 y21
z0
z1
z2
z3
z4
z5
z6
z7
z8
z9
z10 z11 z12 z13 z14 z15 z16 z17 z18 z19 z20 z21 z22
Each variable here is a single bit

Key is used as initial fill of registers
Each register steps (or not) based on maj(x8, y10, z10)
Keystream bit is XOR of rightmost bits of registers
Part 1
Cryptography
44
A5/1
X
1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 1
1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 1
In this example, m = maj(x8, y10, z10) = maj(1,0,1) = 1

Register X steps, Y does not step, and Z steps
Keystream bit is XOR of right bits of registers
Here, keystream bit will be 0 1 0 = 1
Part 1
Cryptography
45
Shift Register Crypto

Shift register crypto efficient in hardware
Often, slow if implemented in software
In the past, very, very popular
Today, more is done in software due to
fast processors
Shift register crypto still used some
o Especially in resource-constrained devices
Part 1
Cryptography
46
RC4
A self-modifying lookup table
Table always contains a permutation of the
byte values 0,1,,255
Initialize the permutation using key
At each step, RC4 does the following
o Swaps elements in current lookup table

o Selects a keystream byte from table
Each step of RC4 produces a byte

o Efficient in software
Each step of A5/1 produces only a bit

o Efficient in hardware
Part 1
Cryptography
47
RC4 Initialization
S[]ispermutationof0,1,...,255
key[]containsNbytesofkey
fori=0to255
S[i]=i
K[i]=key[i(modN)]
nexti
j=0
fori=0to255
j=(j+S[i]+K[i])mod256
swap(S[i],S[j])
nexti
i=j=0
Part 1
Cryptography
48
RC4 Keystream
At each step, swap elements in table and

select keystream byte
i=(i+1)mod256
j=(j+S[i])mod256
swap(S[i],S[j])
t=(S[i]+S[j])mod256
keystreamByte=S[t]
Use keystream bytes like a one-time pad

Note: first 256 bytes should be discarded
o Otherwise, related key attack exists
Part 1
Cryptography
49
Stream Ciphers
Stream ciphers were popular in the past

o Efficient in hardware
o Speed was needed to keep up with voice, etc.
o Today, processors are fast, so software-based
crypto is usually more than fast enough
Future of stream ciphers?

o Shamir declared the death of stream ciphers
o May be greatly exaggerated
Part 1
Cryptography
50
Block Ciphers
Part 1
Cryptography
51
(Iterated) Block Cipher

Plaintext
and ciphertext consist of

fixed-sized blocks
Ciphertext obtained from plaintext
by iterating a round function
Input to round function consists of
key and output of previous round
Usually implemented in software
Part 1
Cryptography
52
Feistel Cipher: Encryption
Feistel cipher is a type of block cipher

o Not a specific block cipher
Split plaintext block into left and right

halves: P = (L0, R0)
For each round i = 1, 2, ..., n, compute
Li = Ri1
Ri = Li1 F(Ri1, Ki)
where F is round function and Ki is subkey
Ciphertext: C = (Ln, Rn)
Part 1
Cryptography
53
Feistel Cipher: Decryption

Start with ciphertext C = (Ln, Rn)
For each round i = n, n1, , 1, compute
Ri1 = Li
Li1 = Ri F(Ri1, Ki)
where F is round function and Ki is subkey
Plaintext: P = (L0, R0)
Decryption works for any function F
o But only secure for certain functions F
Part 1
Cryptography
54
Data Encryption Standard

DES developed in 1970s
Based on IBMs Lucifer cipher
DES was U.S. government standard
DES was controversial
o
o
o
o
Part 1
NSA secretly involved

Design process was secret
Key length reduced from 128 to 56 bits
Subtle changes to Lucifer algorithm
Cryptography
55
DES Numerology
DES is a Feistel cipher with

o
o
o
o
64 bit block length

56 bit key length
16 rounds
48 bits of key used each round (subkey)
Round function is simple (for block cipher)

Security depends heavily on S-boxes
o Each S-box maps 6 bits to 4 bits
Part 1
Cryptography
56
key
R
32
28
expand
48
32
48
S-boxes
28
shift
shift
28
Ki
28
compress
48
28
28
32
P box
32
32
One
Round
of
DES
Part 1
32
Cryptography
key
57
DES Expansion Permutation

Input
32 bits
0123456789101112131415
16171819202122232425262728293031
Output
48 bits
3101234345678
789101112111213141516
151617181920192021222324
23242526272827282930310
Part 1
Cryptography
58
DES S-box
8
substitution boxes or S-boxes

Each S-box maps 6 bits to 4 bits
Here is S-box number 1
input bits (0,5)
input bits (1,2,3,4)
|0000000100100011010001010110011110001001101010111100110111101111
00|1110010011010001001011111011100000111010011011000101100100000111
01|0000111101110100111000101101000110100110110010111001010100111000
10|0100000111101000110101100010101111111100100101110011101001010000
11|1111110010000010010010010001011101011011001111101010000001101101
Part 1
Cryptography
59
DES P-box
Input
32 bits
0123456789101112131415
16171819202122232425262728293031
Output
32 bits
1561920281127160142225417309
17231331262818122952110324
Part 1
Cryptography
60
DES Subkey
56 bit DES key, numbered 0,1,2,,55
Left half key bits, LK
4942352821147
0504336292215
815144373023
169252453831
Right half key bits, RK
55484134272013
6544740332619
1255346393225
181142417103
Part 1
Cryptography
61
DES Subkey
For rounds i=1,2,...,16

o Let LK = (LKcircular shift left byri)
o Let RK = (RKcircular shift left byri)
o Left half of subkey Ki is of LK bits
1316102304227145209
22181132571562619121
o Right half of subkey Ki is RK bits

12232818261112216419
15201027524171321703
Part 1
Cryptography
62
DES Subkey
For rounds 1, 2, 9 and 16 the shift ri is 1,
and in all other rounds ri is 2
Bits 8,17,21,24 of LK omitted each round
Bits 6,9,14,25 of RK omitted each round
Compression permutation yields 48 bit
subkey Ki from 56 bits of LK and RK
Key schedule generates subkey
Part 1
Cryptography
63
DES Last Word (Almost)

An
initial permutation before round 1

Halves are swapped after last round
A final permutation (inverse of initial
perm) applied to (R16, L16)
None
of this serves any security

purpose
Part 1
Cryptography
64
Security of DES
Security depends heavily on S-boxes

o Everything else in DES is linear
35+ years of intense analysis has revealed

no back door
Attacks, essentially exhaustive key search
Inescapable conclusions
o Designers of DES knew what they were doing

o Designers of DES were way ahead of their time
(wrt certain cryptanalytic techniques)
Part 1
Cryptography
65
Block Cipher Notation

P = plaintext block
C = ciphertext block
Encrypt P with key K to get ciphertext C
o C = E(P, K)
Decrypt C with key K to get plaintext P

o P = D(C, K)
Note: P = D(E(P, K), K) and C = E(D(C, K),

K)
o But P D(E(P, K1), K2) and C E(D(C, K1), K2)
when K1 K2
Part 1
Cryptography
66
Triple DES
Today, 56 bit DES key is too small

o Exhaustive key search is feasible
But DES is everywhere, so what to do?

Triple DES or 3DES (112 bit key)
o C = E(D(E(P,K1),K2),K1)
o P = D(E(D(C,K1),K2),K1)
Why Encrypt-Decrypt-Encrypt with 2

keys?
o Backward compatible: E(D(E(P,K),K),K) =
E(P,K)
o And 112 is a lot of bits
Part 1
Cryptography
67
3DES
Why not C = E(E(P,K),K) instead?

o Trick question
still just 56 bit key
Why not C = E(E(P,K1),K2) instead?

A (semi-practical) known plaintext attack
o Pre-compute table of E(P,K1) for every possible
key K1 (resulting table has 256 entries)

o Then for each possible K2 compute D(C,K2) until
a match in table is found
o When match is found, have E(P,K1) = D(C,K2)
o Result gives us keys: C = E(E(P,K1),K2)
Part 1
Cryptography
68
Advanced Encryption Standard

Replacement for DES
AES competition (late 90s)
o
o
o
o
NSA openly involved

Transparent selection process
Many strong algorithms proposed
Rijndael Algorithm ultimately selected
(pronounced like Rain Doll or Rhine Doll)
Iterated block cipher (like DES)

Not a Feistel cipher (unlike DES)
Part 1
Cryptography
69
AES: Executive Summary

Block
size: 128 bits (others in Rijndael)

Key length: 128, 192 or 256 bits
(independent of block size in Rijndael)
10 to 14 rounds (depends on key length)
Each round uses 4 functions (3 layers)
o
o
o
o
Part 1
ByteSub (nonlinear layer)

ShiftRow (linear mixing layer)
MixColumn (nonlinear layer)
AddRoundKey (key addition layer)
Cryptography
70
AES ByteSub
Treat 128 bit block as 4x4 byte array
ByteSub is AESs S-box

Can be viewed as nonlinear (but invertible)
composition of two math operations
Part 1
Cryptography
71
AES S-box
Last 4 bits of input
First 4
bits of
input
Part 1
Cryptography
72
AES ShiftRow
Cyclic
Part 1
shift rows
Cryptography
73
AES MixColumn
Invertible,
linear operation applied to

each column
Implemented
Part 1
Cryptography
as a (big) lookup table

74
AES AddRoundKey
XOR
subkey with block
Block
Subkey
RoundKey
(subkey) determined by key

schedule algorithm
Part 1
Cryptography
75
AES Decryption
To decrypt, process must be invertible
Inverse of MixAddRoundKey is easy, since
is its own inverse
MixColumn is invertible (inverse is also
implemented as a lookup table)
Inverse of ShiftRow is easy (cyclic shift
the other direction)
ByteSub is invertible (inverse is also
implemented as a lookup table)
Part 1
Cryptography
76
A Few Other Block Ciphers

Briefly
o IDEA
o Blowfish
o RC6
More
detailed
o TEA
Part 1
Cryptography
77
IDEA
Invented
by James Massey
o One of the giants of modern crypto
IDEA
has 64-bit block, 128-bit key

IDEA uses mixed-mode arithmetic
Combine different math operations
o IDEA the first to use this approach
o Frequently used today
Part 1
Cryptography
78
Blowfish
Blowfish encrypts 64-bit blocks
Key is variable length, up to 448 bits
Invented by Bruce Schneier
Almost a Feistel cipher
Ri = Li1 Ki
Li = Ri1 F(Li1 Ki)
The round function F uses 4 S-boxes

o Each S-box maps 8 bits to 32 bits
Key-dependent S-boxes
o S-boxes determined by the key
Part 1
Cryptography
79
RC6
Invented by Ron Rivest
Variables
o Block size
o Key size
o Number of rounds
An AES finalist
Uses data dependent rotations
o Unusual for algorithm to depend on plaintext
Part 1
Cryptography
80
Time for TEA

Tiny
Encryption Algorithm (TEA)

64 bit block, 128 bit key
Assumes 32-bit arithmetic
Number of rounds is variable (32 is
considered secure)
Uses weak round function, so large
number of rounds required
Part 1
Cryptography
81
TEA Encryption
Assuming 32 rounds:
(K[0], K[1], K[2], K[3]) = 128 bit key
(L,R) = plaintext (64-bit block)
delta = 0x9e3779b9
sum = 0
for i = 1 to 32
sum += delta
L +=
((R<<4)+K[0])^(R+sum)^((R>>5)+K[1])
R +=
((L<<4)+K[2])^(L+sum)^((L>>5)+K[3])
Part next
1 Cryptography
i
82
TEA Decryption
Assuming 32 rounds:
(K[0], K[1], K[2], K[3]) = 128 bit key
(L,R) = ciphertext (64-bit block)
delta = 0x9e3779b9
sum = delta << 5
for i = 1 to 32
R =
((L<<4)+K[2])^(L+sum)^((L>>5)+K[3])
L =
((R<<4)+K[0])^(R+sum)^((R>>5)+K[1])
sum = delta
Part next
1 Cryptography
i
83
TEA Comments
Almost a Feistel cipher
o Uses + and - instead of (XOR)
Simple, easy to implement, fast, low

memory requirement, etc.
Possibly a related key attack
eXtended TEA (XTEA) eliminates related
key attack (slightly more complex)
Simplified TEA (STEA)
insecure version
used as an example for cryptanalysis
Part 1
Cryptography
84
Block Cipher Modes
Part 1
Cryptography
85
Multiple Blocks
How to encrypt multiple blocks?
Do we need a new key for each block?
o If so, as impractical as a one-time pad!
Encrypt each block independently?

Is there any analog of codebook additive?
How to handle partial blocks?
o We wont discuss this issue
Part 1
Cryptography
86
Modes of Operation
Many modes we discuss 3 most popular
Electronic Codebook (ECB) mode
o Encrypt each block independently

o Most obvious approach, but a bad idea
Cipher Block Chaining (CBC) mode
o Chain the blocks together

o More secure than ECB, virtually no extra work
Counter Mode (CTR) mode
o Block ciphers acts like a stream cipher

o Popular for random access
Part 1
Cryptography
87
ECB Mode
Notation: C = E(P, K)
Given plaintext P0, P1, , Pm,
Most obvious way to use a block cipher:
Encrypt
Decrypt
C0 = E(P0, K)
P0 = D(C0, K)
C1 = E(P1, K)
P1 = D(C1, K)
C2 = E(P2, K)
P2 = D(C2, K)
For fixed key K, this is electronic version

of a codebook cipher (without additive)
o With a different codebook for each key
Part 1
Cryptography
88
ECB Cut and Paste

Suppose plaintext is
AlicedigsBob.TrudydigsTom.
Assuming 64-bit blocks and 8-bit ASCII:
P0 = Alicedi, P1 = gsBob.,
P2 = Trudydi, P3 = gsTom.
Ciphertext: C0, C1, C2, C3
Trudy cuts and pastes: C0, C3, C2, C1
Decrypts as
AlicedigsTom.TrudydigsBob.
Part 1
Cryptography
89
ECB Weakness
Suppose
Then
P i = Pj
Ci = Cj and Trudy knows Pi = Pj
This
gives Trudy some information,

even if she does not know Pi or Pj
Trudy
Is
Part 1
might know Pi
this a serious issue?

Cryptography
90
Alice Hates ECB Mode
Alices uncompressed image, and ECB encrypted (TEA)
Why does this happen?

Same plaintext yields same ciphertext!
Part 1
Cryptography
91
CBC Mode
Blocks are chained together
A random initialization vector, or IV, is
required to initialize CBC mode
IV is random, but not secret
Encryption
Decryption
C0 = E(IV P0, K),

P0 = IV D(C0, K),
C1 = E(C0 P1, K),
P1 = C0 D(C1, K),
C2 = E(C1 P2, K),
P2 = C1 D(C2, K),
Analogous to classic codebook with additive
Part 1
Cryptography
92
CBC Mode
Identical plaintext blocks yield different
ciphertext blocks this is very good!
But what about errors in transmission?
o If C1 is garbled to, say, G then
P1 C0 D(G, K), P2 G D(C2, K)

o But P3 = C2 D(C3, K), P4 = C3 D(C4, K),
o Automatically recovers from errors!
Cut and paste is still possible, but more

complex (and will cause garbles)
Part 1
Cryptography
93
Alice Likes CBC Mode
Alices uncompressed image, Alice CBC encrypted (TEA)
Why does this happen?

Same plaintext yields different ciphertext!
Part 1
Cryptography
94
Counter Mode (CTR)

CTR is popular for random access
Use block cipher like a stream cipher
Encryption
Decryption
C0 = P0 E(IV, K),
P0 = C0 E(IV, K),
C1 = P1 E(IV+1, K),
P1 = C1 E(IV+1, K),
C2 = P2 E(IV+2, K),
P2 = C2 E(IV+2, K),
Note: CBC also works for random access

o But there is a significant limitation
Part 1
Cryptography
95
Integrity
Part 1
Cryptography
96
Data Integrity
Integrity detect unauthorized writing
(i.e., detect unauthorized mod of data)
Example: Inter-bank fund transfers
o Confidentiality may be nice, integrity is critical
Encryption provides confidentiality

(prevents unauthorized disclosure)
Encryption alone does not provide integrity
o One-time pad, ECB cut-and-paste, etc., etc.
Part 1
Cryptography
97
MAC
Message
Authentication Code (MAC)
o Used for data integrity

o Integrity not the same as confidentiality
MAC
is computed as CBC residue
o That is, compute CBC encryption, saving
only final ciphertext block, the MAC

o The MAC serves as a cryptographic
checksum for data
Part 1
Cryptography
98
MAC Computation
MAC
computation (assuming N blocks)
C0 = E(IV P0, K),

C1 = E(C0 P1, K),
C2 = E(C1 P2, K),
CN1 = E(CN2 PN1, K) = MAC
Send
IV, P0, P1, , PN1 and MAC

Receiver does same computation and
verifies that result agrees with MAC
Both sender and receiver must know K
Part 1
Cryptography
99
Does a MAC work?

Suppose Alice has 4 plaintext blocks
Alice computes
C0 = E(IVP0, K), C1 = E(C0P1, K),

C2 = E(C1P2, K), C3 = E(C2P3, K) = MAC
Alice sends IV, P0, P1, P2, P3 and MAC to Bob

Suppose Trudy changes P1 to X
Bob computes
C0 = E(IVP0, K), C1 = E(C0X, K),

C2 = E(C1P2, K), C3 = E(C2P3, K) = MAC MAC
It works since error propagates into MAC

Trudy cant make MAC == MAC without K
Part 1
Cryptography
100
Confidentiality and Integrity

Encrypt with one key, MAC with another key
Why not use the same key?
o Send last encrypted block (MAC) twice?

o This cannot add any security!
Using different keys to encrypt and compute

MAC works, even if keys are related
o But, twice as much work as encryption alone
o Can do a little better about 1.5 encryptions
Confidentiality and integrity with same work

as one encryption is a research topic
Part 1
Cryptography
101
Uses for Symmetric Crypto

Confidentiality
o Transmitting data over insecure channel

o Secure storage on insecure media
Integrity
(MAC)
Authentication protocols (later)
Anything you can do with a hash
function (upcoming chapter)
Part 1
Cryptography
102
Chapter 4:
Public Key Cryptography
You should not live one way in private, another in public.
Publilius Syrus
Three may keep a secret, if two of them are dead.

Ben Franklin
Part 1
Cryptography
103
Two keys, one to encrypt, another to decrypt

o Alice uses Bobs public key to encrypt
o Only Bobs private key decrypts the message
Based on trap door, one way function
o One way means easy to compute in one direction,
but hard to compute in other direction

o Example: Given p and q, product N = pq easy to
compute, but hard to find p and q from N
o Trap door is used when creating key pairs
Part 1
Cryptography
104
Encryption
o Suppose we encrypt M with Bobs public key

o Bobs private key can decrypt C to recover M
Digital Signature
o Bob signs by encrypting with his private key

o Anyone can verify signature by decrypting
with Bobs public key

o But only Bob could have signed
o Like a handwritten signature, but much better
Part 1
Cryptography
105
Knapsack
Part 1
Cryptography
106
Knapsack Problem
Given a set of n weights W0,W1,...,Wn-1 and a

sum S, find ai {0,1} so that
S = a0W0+a1W1 + ... + an-1Wn-1

(technically, this is the subset sum problem)
Example
o Weights (62,93,26,52,166,48,91,141)
o Problem: Find a subset that sums to S = 302
o Answer: 62 + 26 + 166 + 48 = 302
The (general) knapsack is NP-complete
Part 1
Cryptography
107
Knapsack Problem
General knapsack (GK) is hard to solve
But superincreasing knapsack (SIK) is easy
SIK
each weight greater than the sum of
all previous weights
Example
o
o
o
o
Part 1
Weights (2,3,7,14,30,57,120,251)
Problem: Find subset that sums to S = 186
Work from largest to smallest weight
Answer: 120 + 57 + 7 + 2 = 186
Cryptography
108
Knapsack Cryptosystem
1.
2.
3.
4.
Generate superincreasing knapsack (SIK)

Convert SIK to general knapsack (GK)
Public Key: GK
Private Key: SIK and conversion factor
Goal
o
o
o
Part 1
Easy to encrypt with GK

With private key, easy to decrypt (solve SIK)
Without private key, Trudy has no choice but
to try to solve GK
Cryptography
109
Example
Start with(2,3,7,14,30,57,120,251) as the

SIK
Choose m = 41 and n = 491 (m, n
relatively prime, n exceeds sum of elements
in SIK)
Compute general knapsack
Part 1
2 41 mod 491 = 82
3 41 mod 491 = 123
7 41 mod 491 = 287
14 41 mod 491 = 83
30 41 mod 491 = 248
57 41 mod 491 = 373
120 41 mod 491 = 10
251 41 mod 491 = 471
Cryptography
General knapsack:
110
Knapsack Example
Private
Public
key: (2,3,7,14,30,57,120,251)
m1 mod n = 411 mod 491 = 12
key:
(82,123,287,83,248,373,10,471), n=491
Example: Encrypt 10010110
82 + 83 + 373 + 10 = 548
To
decrypt, use private key
o 548 12 = 193 mod 491

o Solve (easy) SIK with S = 193
o Obtain plaintext 10010110
Part 1
Cryptography
111
Knapsack Weakness
Trapdoor: Convert SIK into general
knapsack using modular arithmetic
One-way: General knapsack easy to
encrypt, hard to solve; SIK easy to solve
This knapsack cryptosystem is insecure
o Broken in 1983 with Apple II computer

o The attack uses lattice reduction
General knapsack is not general enough!
o This special case of knapsack is easy to break
Part 1
Cryptography
112
RSA
Part 1
Cryptography
113
RSA
Invented by Clifford Cocks (GCHQ) and

Rivest, Shamir, and Adleman (MIT)
o RSA is the gold standard in public key crypto
Let p and q be two large prime numbers

Let N = pq be the modulus
Choose e relatively prime to (p1)(q1)
Find d such that ed = 1 mod (p1)(q1)
Public key is (N,e)
Private key is d
Part 1
Cryptography
114
RSA
Message M is treated as a number
To encrypt M we compute
C = Me mod N
To decrypt ciphertext C compute
M = Cd mod N
Recall that e and N are public
If Trudy can factor N = pq, she can use e
to easily find d since ed = 1 mod (p1)
(q1)
So, factoring the modulus breaks RSA
o Is factoring the only way to break RSA?

Cryptography
Part 1
115
Does RSA Really Work?
Given C = Me mod N we want to show that

M = Cd mod N = Med mod N
Well need Eulers Theorem:
If x is relatively prime to n then x(n) = 1 mod n
Facts:
1) ed = 1 mod (p 1)(q 1)
2) By definition of mod, ed = k(p 1)(q 1) +
1
3) (N) = (p 1)(q 1)
Then ed 1 = k(p 1)(q 1) = k(N)

So, Med = M(ed 1) + 1 = MMed 1 = MMk(N)
= Cryptography
M(M(N))k mod N = M1k mod N = M mod N116
Part 1
Simple RSA Example

Example
of textbook RSA
o Select large primes p = 11, q = 3

o Then N = pq = 33 and (p 1)(q 1) =
20
o Choose e = 3 (relatively prime to 20)
o Find d such that ed = 1 mod 20
We find that d = 7 works
Public
key: (N, e) = (33, 3)

Private key: d = 7
Part 1
Cryptography
117
Simple RSA Example

Public key: (N, e) = (33, 3)
Private key: d = 7
Suppose message to encrypt is M = 8
Ciphertext C is computed as
C = Me mod N = 83 = 512 = 17 mod 33
Decrypt C to recover the message M by

M = Cd mod N = 177 = 410,338,673
= 12,434,505 33 + 8 = 8 mod 33
Part 1
Cryptography
118
More Efficient RSA (1)
Modular exponentiation example

o
A better way: repeated squaring
o
o
o
o
o
o
o
o
520 = 95367431640625 = 25 mod 35
20 = 10100 base 2
(1, 10, 101, 1010, 10100) = (1, 2, 5, 10, 20)
Note that 2 = 1 2, 5 = 2 2 + 1, 10 = 2 5, 20 = 2
10
51= 5 mod 35
52= (51)2 = 52 = 25 mod 35
55= (52)2 51 = 252 5 = 3125 = 10 mod 35
510 = (55)2 = 102 = 100 = 30 mod 35
520 = (510)2 = 302 = 900 = 25 mod 35
No huge numbers and its efficient!
Part 1
Cryptography
119
More Efficient RSA (2)
Use e = 3 for all users (but not same N or d)

+ Public key operations only require 2 multiplies
o Private key operations remain expensive
- If M < N1/3 then C = Me = M3 and cube root
attack
- For any M, if C1, C2, C3 sent to 3 users, cube root
attack works (uses Chinese Remainder Theorem)
Can prevent cube root attack by padding

message with random bits
Note: e = 216 + 1 also used (better than e
= 3)
Part 1
Cryptography
120
Diffie-Hellman
Part 1
Cryptography
121
Diffie-Hellman Key Exchange

Invented
by Williamson (GCHQ) and,

independently, by D and H (Stanford)
A key exchange algorithm
o Used to establish a shared symmetric key

o Not for encrypting or signing
Based
on discrete log problem
o Given: g, p, and gk mod p

o Find: exponent k
Part 1
Cryptography
122
Diffie-Hellman
Let p be prime, let g be a generator
o For any x {1,2,,p-1} there is n s.t. x = gn
mod p
Alice selects her private value a

Bob selects his private value b
Alice sends ga mod p to Bob
Bob sends gb mod p to Alice
Both compute shared secret, gab mod p
Shared secret can be used as symmetric key
Part 1
Cryptography
123
Diffie-Hellman
Public: g and p
Private: Alices exponent a, Bobs exponent b
ga mod p
gb mod p
Alice, a
Bob, b
Alice computes (gb)a = gba = gab mod p

Bob computes (ga)b = gab mod p
They can use K = gab mod p as symmetric
key
Part 1 Cryptography
124
Diffie-Hellman
Suppose Bob and Alice use Diffie-Hellman
to determine symmetric key K = gab mod
p
Trudy can see ga mod p and gb mod p
o But ga gb mod p = ga+b mod p gab mod p
If Trudy can find a or b, she gets K
If Trudy can solve discrete log problem,
she can find a or b
Part 1
Cryptography
125
Diffie-Hellman
Subject to man-in-the-middle (MiM) attack

ga mod p
gt mod p
gt mod p
gb mod p
Trudy, t
Alice, a
Bob, b
Trudy shares secret gat mod p with Alice

Trudy shares secret gbt mod p with Bob
Alice and Bob dont know Trudy is MiM
Part 1
Cryptography
126
Diffie-Hellman
How to prevent MiM attack?

o
o
o
o
Encrypt DH exchange with symmetric key

Encrypt DH exchange with public key
Sign DH values with private key
Other?
At this point, DH may look pointless

o but its not (more on this later)
You MUST be aware of MiM attack on

Diffie-Hellman
Part 1
Cryptography
127
Elliptic Curve Cryptography
Part 1
Cryptography
128
Elliptic Curve Crypto (ECC)

Elliptic
curve is not a cryptosystem

Elliptic curves provide different way
to do the math in public key system
Elliptic curve versions of DH, RSA,
Elliptic curves are more efficient
o Fewer bits needed for same security
o But the operations are more complex
Part 1
Cryptography
129
What is an Elliptic Curve?

An
elliptic curve E is the graph of

an equation of the form
y2=x3+ax+b
Also includes a point at infinity
What do elliptic curves look like?
See the next slide!
Part 1
Cryptography
130
Elliptic Curve Picture

y
Consider elliptic curve

E: y2=x3x+1
P2
P1
x
P3
Part 1
If P1 and P2 are on E, we
can define
P3=P1+P2
as shown in picture
Addition is all we need
Cryptography
131
Points on Elliptic Curve
Consider y2=x3+2x+3(mod5)
x=0y2=3nosolution(mod5)
x=1y2=6=1y=1,4(mod5)
x=2y2=15=0y=0(mod5)
x=3y2=36=1y=1,4(mod5)
x=4y2=75=0y=0(mod5)
Then points on the elliptic curve are

(1,1)(1,4)(2,0)(3,1)(3,4)(4,0)
and the point at infinity:
Part 1
Cryptography
132
Elliptic Curve Math
Addition on: y2=x3+ax+b(modp)

P1=(x1,y1), P2=(x2,y2)
P1+P2=P3=(x3,y3) where
x3=m2x1x2(modp)
y3=m(x1x3)y1(modp)
And m=(y2y1)(x2x1)1 modp, if P1P2
m=(3x12+a)(2y1)1 modp, if P1=P2
Special cases: If m is infinite, P3=, and
+P=P for all P
Part 1
Cryptography
133
Elliptic Curve Addition

Consider y2=x3+2x+3(mod5).
Points on the curve are (1,1)(1,4)
(2,0)(3,1)(3,4)(4,0)and
What is (1,4)+(3,1)=P3=(x3,y3)?
m=(14)(31)1=321
=2(3)=6=1(mod5)
x3=113=2(mod5)
y3=1(12)4=0(mod5)
On this curve, (1,4)+(3,1)=(2,0)
Part 1
Cryptography
134
ECC Diffie-Hellman
Public: Elliptic curve and point (x,y) on curve

Private: Alices A and Bobs B
A(x,y)
B(x,y)
Alice, A
Bob, B
Alice computes A(B(x,y))

Bob computes B(A(x,y))
These are the same since AB = BA
Part 1
Cryptography
135
ECC Diffie-Hellman
Public: Curve y2=x3+7x+b(mod37)
and point (2,5)b=3
Alices private: A=4
Bobs private: B=7
Alice sends Bob: 4(2,5)=(7,32)
Bob sends Alice: 7(2,5)=(18,35)
Alice computes: 4(18,35)=(22,1)
Bob computes: 7(7,32)=(22,1)
Part 1
Cryptography
136
Uses for Public Key Crypto
Part 1
Cryptography
137
Uses for Public Key Crypto

Confidentiality
o Transmitting data over insecure channel

o Secure storage on insecure media
Authentication
protocols (later)
Digital signature
o Provides integrity and non-repudiation

o No non-repudiation with symmetric keys
Part 1
Cryptography
138
Non-non-repudiation
Alice orders 100 shares of stock from Bob
Alice computes MAC using symmetric key
Stock drops, Alice claims she did not order
Can Bob prove that Alice placed the order?
No! Bob also knows the symmetric key, so
he could have forged the MAC
Problem: Bob knows Alice placed the order,
but he cant prove it
Part 1
Cryptography
139
Non-repudiation
Alice orders 100 shares of stock from Bob
Alice signs order with her private key
Stock drops, Alice claims she did not order
Can Bob prove that Alice placed the order?
Yes! Alices private key used to sign the
order only Alice knows her private key
This assumes Alices private key has not
been lost/stolen
Part 1
Cryptography
140
Public Key Notation

Sign
message M with Alices

private key: [M]Alice
Encrypt
message M with Alices

public key: {M}Alice
Then
{[M]Alice}Alice = M
[{M}Alice]Alice = M
Part 1
Cryptography
141
Sign and Encrypt

vs
Encrypt and Sign
Part 1
Cryptography
142
Confidentiality and
Non-repudiation?
Suppose
that we want confidentiality

and integrity/non-repudiation
Can public key crypto achieve both?
Alice sends message to Bob
o Sign and encrypt: {[M]Alice}Bob
o Encrypt and sign: [{M}Bob]Alice
Can
Part 1
the order possibly matter?
Cryptography
143
Sign and Encrypt
M = I love you
{[M]Alice}Bob
{[M]Alice}Charlie
Bob
Alice
Part 1
Charlie
Q: Whats the problem?

A: No problem public key is public
Cryptography
144
Encrypt and Sign
M = My theory, which is mine.

[{M}Bob]Alice
Alice
[{M}Bob]Charlie
Charlie
Part 1
Bob
Note that Charlie cannot decrypt M

Q: What is the problem?
A: No problem public key is public
Cryptography
145
Public Key Infrastructure
Part 1
Cryptography
146
Public Key Certificate

Digital certificate contains name of user and
users public key (possibly other info too)
It is signed by the issuer, a Certificate
Authority (CA), such as VeriSign
M = (Alice, Alices public key), S = [M]CA
Alices Certificate = (M, S)

Signature on certificate is verified using
CAs public key
Must verify that M = {S}CA
Part 1
Cryptography
147
Certificate Authority
Certificate authority (CA) is a trusted 3rd
party (TTP) creates and signs certificates
Verify signature to verify integrity & identity
of owner of corresponding private key
o Does not verify the identity of the sender of
certificate
certificates are public!
Big problem if CA makes a mistake

o CA once issued Microsoft cert. to someone else
A common format for certificates is X.509
Part 1
Cryptography
148
PKI
Public Key Infrastructure (PKI): the stuff

needed to securely use public key crypto
o Key generation and management
o Certificate authority (CA) or authorities
o Certificate revocation lists (CRLs), etc.
No general standard for PKI

We mention 3 generic trust models
o We only discuss the CA (or CAs)
Part 1
Cryptography
149
PKI Trust Models

Monopoly
model
o One universally trusted organization is
the CA for the known universe

o Big problems if CA is ever compromised
o Who will act as CA ???
System is useless if you dont trust the CA!
Part 1
Cryptography
150
PKI Trust Models

Oligarchy
o Multiple (as in, a few) trusted CAs

o This approach is used in browsers today
o Browser may have 80 or more CA
certificates, just to verify certificates!

o User can decide which CA or CAs to trust
Part 1
Cryptography
151
PKI Trust Models
Anarchy model
o Everyone is a CA
o Users must decide who to trust
o This approach used in PGP: Web of trust
Why is it anarchy?
o Suppose certificate is signed by Frank and you
dont know Frank, but you do trust Bob and Bob

says Alice is trustworthy and Alice vouches for
Frank. Should you accept the certificate?
Many other trust models/PKI issues
Part 1
Cryptography
152
Confidentiality
in the Real World
Part 1
Cryptography
153
Symmetric Key vs Public Key

Symmetric
key +s
o Speed
o No public key infrastructure (PKI) needed
(but have to generate/distribute keys)
Public
Key +s
o Signatures (non-repudiation)
o No shared secret (but, do have to get
private keys to the right user)
Part 1
Cryptography
154
Notation Reminder
Public
key notation
o Sign M with Alices private key
[M]Alice
o Encrypt M with Alices public key
{M}Alice
Symmetric
key notation
o Encrypt P with symmetric key K
C = E(P,K)
o Decrypt C with symmetric key K
P = D(C,K)
Part 1
Cryptography
155
Real World Confidentiality
Hybrid cryptosystem
o Public key crypto to establish a key

o Symmetric key crypto to encrypt data
Im Alice, {K}Bob
E(Bobs data, K)
E(Alices data, K)
Alice
Bob
Can Bob be sure hes talking to Alice?
Part 1
Cryptography
156
Chapter 5: Hash Functions++

I'm sure [my memory] only works one way. Alice remarked.
I can't remember things before they happen.
It's a poor sort of memory that only works backwards,
the Queen remarked.
What sort of things do you remember best?" Alice ventured to ask.
Oh, things that happened the week after next,"
the Queen replied in a careless tone.
Lewis Carroll, Through the Looking Glass
Part 1
Cryptography
157
Chapter 5: Hash Functions++

A boat, beneath a sunny sky
Lingering onward dreamily
In an evening of July
Children three that nestle near,
Eager eye and willing ear,
...
Lewis Carroll, Through the Looking Glass
Part 1
Cryptography
158
Hash Function Motivation
Suppose Alice signs M
o Alice sends M and S = [M]Alice to Bob

o Bob verifies that M = {S}Alice
o Can Alice just send S?
If M is big, [M]Alice costly to compute & send

Suppose instead, Alice signs h(M), where
h(M) is a much smaller fingerprint of M
o Alice sends M and S = [h(M)]Alice to Bob

o Bob verifies that h(M) = {S}Alice
Part 1
Cryptography
159
Hash Function Motivation
So, Alice signs h(M)
o That is, Alice computes S = [h(M)]Alice

o Alice then sends (M, S) to Bob
o Bob verifies that h(M) = {S}Alice
What properties must h(M) satisfy?
o Suppose Trudy finds M so that h(M) = h(M)

o Then Trudy can replace (M, S) with (M, S)
Does Bob detect this tampering?

o No, since h(M) = h(M) = {S}Alice
Part 1
Cryptography
160
Crypto Hash Function
Crypto hash function h(x) must provide
o Compression output length is small

o Efficiency h(x) easy to compute for any x
o One-way given a value y it is infeasible to
find an x such that h(x) = y

o Weak collision resistance given x and h(x),
infeasible to find y x such that h(y) = h(x)
o Strong collision resistance infeasible to find
any x and y, with x y such that h(x) = h(y)
Lots of collisions exist, but hard to find any
Part 1
Cryptography
161
Pre-Birthday Problem
Suppose
N people in a room
How large must N be before the
probability someone has same
birthday as me is 1/2 ?
o Solve: 1/2 = 1 (364/365)N for N
o We find N = 253
Part 1
Cryptography
162
Birthday Problem
How many people must be in a room before

probability is 1/2 that any two (or more)
have same birthday?
o 1 365/365 364/365 (365N+1)/365
o Set equal to 1/2 and solve: N = 23
Surprising? A paradox?
Maybe not: Should be about sqrt(365)
since we compare all pairs x and y
o And there are 365 possible birthdays
Part 1
Cryptography
163
Of Hashes and Birthdays

If h(x) is N bits, then 2N different hash
values are possible
So, if you hash about sqrt(2N) = 2N/2 values
then you expect to find a collision
Implication? Exhaustive search attack
o Secure N-bit hash requires 2N/2 work to break

o Recall that secure N-bit symmetric cipher has
work factor of 2N1
Hash output length vs cipher key length?
Part 1
Cryptography
164
Non-crypto Hash (1)
Data X = (X1,X2,X3,,Xn), each Xi is a byte
Define h(X) = (X1+X2+X3++Xn) mod 256
Is this a secure cryptographic hash?

Example: X = (10101010, 00001111)
Hash is h(X) = 10111001
If Y = (00001111, 10101010) then h(X) =
h(Y)
Easy to find collisions, so not secure
Part 1
Cryptography
165
Non-crypto Hash (2)

Data X = (X0,X1,X2,,Xn-1)
Suppose hash is defined as
h(X) = (nX1+(n1)X2+(n2)X3++2Xn-1+Xn)
mod 256
Is this a secure cryptographic hash?

Note that
h(10101010, 00001111) h(00001111,

10101010)
But hash of (00000001, 00001111) is

same as hash of (00000000, 00010001)
Not secure, but this hash is used in the
application rsync
Part(non-crypto)
1 Cryptography
166
Non-crypto Hash (3)

Cyclic Redundancy Check (CRC)
Essentially, CRC is the remainder in a long
division calculation
Good for detecting burst errors
o Such random errors unlikely to yield a collision
But easy to construct collisions
o In crypto, Trudy is the enemy, not random
CRC has been mistakenly used where crypto

integrity check is required (e.g., WEP)
Part 1
Cryptography
167
Popular Crypto Hashes
MD5
invented by Rivest (of course)
o 128 bit output

o MD5 collisions easy to find, so its broken
SHA-1 A U.S. government standard,

inner workings similar to MD5
o 160 bit output
Many other hashes, but MD5 and SHA-1

are the most widely used
Hashes work by hashing message in blocks
Part 1
Cryptography
168
Crypto Hash Design
Desired property: avalanche effect
o Change to 1 bit of input should affect about
half of output bits
Crypto hash functions consist of some

number of rounds
Want security and speed
o Avalanche effect after few rounds

o But simple rounds
Analogous to design of block ciphers
Part 1
Cryptography
169
Tiger Hash
Fast
and strong
Designed by Ross Anderson and Eli
Biham leading cryptographers
Design criteria
o Secure
o Optimized for 64-bit processors
o Easy replacement for MD5 or SHA-1
Part 1
Cryptography
170
Tiger Hash
Like MD5/SHA-1, input divided into 512 bit
blocks (padded)
Unlike MD5/SHA-1, output is 192 bits
(three 64-bit words)
o Truncate output if replacing MD5 or SHA-1
Intermediate rounds are all 192 bits

4 S-boxes, each maps 8 bits to 64 bits
A key schedule is used
Part 1
Cryptography
171
a b c
Xi
F5
Tiger Outer Round
o X = (X0,X1,,Xn-1)
o X is padded
key schedule
F7
key schedule

a b c
a b c
Part 1
o Each Xi is 512 bits
F9
Cryptography
Input is X
There are n iterations

of diagram at left
o One for each input block
Initial (a,b,c)
constants
Final (a,b,c) is hash
Looks like block cipher!
172
Tiger Inner Rounds

Each Fm consists of
precisely 8 rounds
512 bit input W to Fm
a b c
fm,0
w0
fm.1
w1
fm,2
w2
fm,7
w7
o W=(w0,w1,,w7)
o W is one of the input
blocks Xi
All lines are 64 bits

The fm,i depend on the
S-boxes (next slide)
a b c
Part 1
Cryptography
173
Tiger Hash: One Round
Each fm,i is a function of a,b,c,wi and m

o
o
o
o
Input values of a,b,c from previous round

And wi is 64-bit block of 512 bit W
Subscript m is multiplier
And c = (c0,c1,,c7)
Output of fm,i is
o c = c wi
o a = a (S0[c0] S1[c2] S2[c4] S3[c6])
o b = b + (S3[c1] S2[c3] S1[c5] S0[c7])
o b=bm
Each Si is S-box: 8 bits mapped to 64 bits
Part 1
Cryptography
174
Tiger Hash
Key Schedule
Input
is X
o X=(x0,x1,
,x7)
Small
change
in X will
produce large
change in key
schedule
output
Part 1
Cryptography
x0 = x0 (x7
0xA5A5A5A5A5A5A5A5)
x1 = x 1 x0
x2 = x 2 x1
x3 = x3 (x2 ((~x1) << 19))
x4 = x 4 x3
x5 = x5 +x4
x6 = x6 (x5 ((~x4) >> 23))
x7 = x 7 x6
x0 = x0 +x7
x1 = x1 (x0 ((~x7) << 19))
x2 = x 2 x1
x3 = x3 +x2
x4 = x4 (x3 ((~x2) >> 23))
x5 = x 5 x4
x6 = x6 +x5
175
x7 = x7 (x6
Tiger Hash Summary (1)

Hash and intermediate values are 192 bits
24 (inner) rounds
o S-boxes: Claimed that each input bit affects a,
b and c after 3 rounds

o Key schedule: Small change in message affects
many bits of intermediate hash values
o Multiply: Designed to ensure that input to S-box
in one round mixed into many S-boxes in next
S-boxes, key schedule and multiply together

designed to ensure strong avalanche effect
Part 1
Cryptography
176
Tiger Hash Summary (2)

Uses
lots of ideas from block ciphers
o S-boxes
o Multiple rounds
o Mixed mode arithmetic
At
a higher level, Tiger employs
o Confusion
o Diffusion
Part 1
Cryptography
177
HMAC
Can compute a MAC of the message M with
key K using a hashed MAC or HMAC
HMAC is a keyed hash
o Why would we need a key?
How to compute HMAC?

Two obvious choices: h(K,M) and h(M,K)
Which is better?
Part 1
Cryptography
178
HMAC
Should we compute HMAC as h(K,M) ?
Hashes computed in blocks
o h(B1,B2) = F(F(A,B1),B2) for some F and constant
A
o Then h(B1,B2) = F(h(B1),B2)
Let M = (M,X)
o Then h(K,M) = F(h(K,M),X)

o Attacker can compute HMAC of M without K
Is h(M,K) better?
o Yes, but if h(M) = h(M) then we might have
h(M,K)=F(h(M),K)=F(h(M),K)=h(M,K)
Part 1
Cryptography
179
Correct Way to HMAC

Described in RFC 2104
Let B be the block length of hash, in bytes
o B = 64 for MD5 and SHA-1 and Tiger
ipad = 0x36 repeated B times

opad = 0x5C repeated B times
Then
HMAC(M,K) = h(K opad, h(K ipad, M))
Part 1
Cryptography
180
Hash Uses
Authentication (HMAC)
Message integrity (HMAC)
Message fingerprint
Data corruption detection
Digital signature efficiency
Anything you can do with symmetric crypto
Also, many, many clever/surprising uses
Part 1
Cryptography
181
Online Bids
Suppose Alice, Bob and Charlie are bidders
Alice plans to bid A, Bob B and Charlie C
They dont trust that bids will stay secret
A possible solution?
o Alice, Bob, Charlie submit hashes h(A), h(B),
h(C)
o All hashes received and posted online
o Then bids A, B, and C submitted and revealed
Hashes dont reveal bids (one way)

Cant change bid after hash sent (collision)
But there is a serious flaw here
Part 1
Cryptography
182
Hashing for Spam Reduction

Spam
reduction
Before accept email, want proof that
sender had to work to create email
o Here, work == CPU cycles
Goal
is to limit the amount of email

that can be sent
o This approach will not eliminate spam

o Instead, make spam more costly to send
Part 1
Cryptography
183
Spam Reduction
Let M = email message
R = value to be determined
T = current time
Sender must find R so that
h(M,R,T) = (000,X), that is,

initial N bits of hash value are all zero
Sender then sends (M,R,T)

Recipient accepts email, provided that
h(M,R,T) begins with N zeros

Part 1
Cryptography
184
Spam Reduction
Sender: h(M,R,T) begins with N zeros
Recipient: verify that h(M,R,T) begins with
N zeros
Work for sender: on average 2N hashes
Work for recipient: always 1 hash
Senders work increases exponentially in N
Small work for recipient regardless of N
Choose N so that
o Work acceptable for normal amounts of email

o Work is too high for spammers
Part 1
Cryptography
185
Secret Sharing
Part 1
Cryptography
186
Shamirs Secret Sharing

Y
Two points determine a line

Give (X0,Y0) to Alice
(X1,Y1)
(X0,Y0)
Give (X1,Y1) to Bob
Then Alice and Bob must

cooperate to find secret S
Also works in discrete case
X
Easy to make m out of n
scheme for any m n
(0,S)
2 out of 2
Part 1
Cryptography
187

Y
(X0,Y0)
(X1,Y1)
(X2,Y2)
Part 1
Cryptography
Give (X1,Y1) to Bob
Give (X2,Y2) to Charlie
Then any two can cooperate

to find secret S
No one can determine S
A 2 out of 3 scheme
(0,S)
2 out of 3
188

Y
(X0,Y0)
(X1,Y1)
(X2,Y2)
(0,S)
Give (X1,Y1) to Bob
Give (X2,Y2) to Charlie
3 pts determine parabola
Alice, Bob, and Charlie

must cooperate to find S
3 out of 3
Part 1
Cryptography
A 3 out of 3 scheme
What about 3 out of 4?

189
Secret Sharing Use?

Key escrow suppose its required that
your key be stored somewhere
Key can be recovered with court order
But you dont trust FBI to store your keys
We can use secret sharing
o Say, three different government agencies

o Two must cooperate to recover the key
Part 1
Cryptography
190
Secret Sharing Example

Y
Your symmetric key is K

Point (X0,Y0) to FBI
(X0,Y0)
(X1,Y1)
(X2,Y2)
(0,K)
Point (X1,Y1) to DoJ
Point (X2,Y2) to DoC
To recover your key K,

two of the three
agencies must cooperate
No one agency can get K
Part 1
Cryptography
191
Visual Cryptography
Another form of secret sharing
Alice and Bob share an image
Both must cooperate to reveal the image
Nobody can learn anything about image
from Alices share or Bobs share
o That is, both shares are required
Is this possible?
Part 1
Cryptography
192
Visual Cryptography
How
to share a pixel?
Suppose image is black and white
Then each pixel
is either black
or white
We split pixels
as shown
Part 1
Cryptography
193
Sharing Black & White Image

If
pixel is white, randomly choose a

or b for Alices/Bobs shares
If pixel is
black, randomly
choose c or d
No information
in one share
Part 1
Cryptography
194
Visual Crypto Example
Part 1
Alices
share
Cryptography
Bobs
share
Overlaid
shares
195
Visual Crypto
How
does visual crypto compare to

regular crypto?
In visual crypto, no key
o Or, maybe both images are the key?
With
encryption, exhaustive search
o Except for the one-time pad
Exhaustive
search on visual crypto?
o No exhaustive search is possible!
Part 1
Cryptography
196
Visual Crypto
Visual crypto no exhaustive search
How does visual crypto compare to crypto?
o Visual crypto is information theoretically
secure also true of secret sharing schemes

o With regular encryption, goal is to make
cryptanalysis computationally infeasible
Visual crypto an example of secret sharing

o Not really a form of crypto, in the usual sense
Part 1
Cryptography
197
Random Numbers in
Cryptography
Part 1
Cryptography
198
Random Numbers
Random numbers used to generate keys

o Symmetric keys
o RSA: Prime numbers
o Diffie Hellman: secret values
Random numbers used for nonces
o Sometimes a sequence is OK
o But sometimes nonces must be random
Random numbers also used in simulations,

statistics, etc.
o In such apps, need statistically random numbers
Part 1
Cryptography
199
Random Numbers
Cryptographic random numbers must be
statistically random and unpredictable
Suppose server generates symmetric keys
o
o
o
o
Alice: KA
Bob: KB
Charlie: KC
Dave: KD
Alice, Bob, and Charlie dont like Dave

Alice, Bob, and Charlie, working together,
must not be able to determine KD
Part 1
Cryptography
200
Non-random Random Numbers
Online version of Texas Hold em Poker

o ASF Software, Inc.
Random numbers used to shuffle the deck

Program did not produce a random shuffle
A serious problem, or not?
Part 1
Cryptography
201
Card Shuffle
There are 52! > 2225 possible shuffles
The poker program used random 32-bit
integer to determine the shuffle
o So, only 232 distinct shuffles could occur
Code used Pascal pseudo-random number

generator (PRNG): Randomize()
Seed value for PRNG was function of
number of milliseconds since midnight
Less than 227 milliseconds in a day
o So, less than 227 possible shuffles
Part 1
Cryptography
202
Card Shuffle
Seed based on milliseconds since midnight
PRNG re-seeded with each shuffle
By synchronizing clock with server, number
of shuffles that need to be tested 218
Could then test all 218 in real time
o Test each possible shuffle against up cards
Attacker knows every card after the first

of five rounds of betting!
Part 1
Cryptography
203
Poker Example
Poker program is an extreme example
o But common PRNGs are predictable

o Only a question of how many outputs must be
observed before determining the sequence
Crypto random sequences not predictable

o For example, keystream from RC4 cipher
o But seed (or key) selection is still an issue!
How to generate initial random values?

o Keys (and, in some cases, seed values)
Part 1
Cryptography
204
What is Random?
True
random hard to even define

Entropy is a measure of randomness
Good sources of true randomness
o Radioactive decay
but, radioactive
computers are not too popular
o Hardware devices many good ones on
the market
o Lava lamp relies on chaotic behavior
Part 1
Cryptography
205
Randomness
Sources of randomness via software
o Software is supposed to be deterministic

o So, must rely on external random events
o Mouse movements, keyboard dynamics, network
activity, etc., etc.
Can get quality random bits by such methods

But quantity of bits is very limited
Bottom line: The use of pseudo-random
processes to generate secret quantities can
result in pseudo-security
Part 1
Cryptography
206
Information Hiding
Part 1
Cryptography
207
Information Hiding
Digital
Watermarks
o Example: Add invisible info to data

o Defense against music/software piracy
Steganography
o Secret communication channel

o Similar to a covert channel (more later)
o Example: Hide data in an image file
Part 1
Cryptography
208
Watermark
Add
a mark to data
Visibility (or not) of watermarks
o Invisible Watermark is not obvious
o Visible Such as TOP SECRET
Strength
o Robust
o Fragile
Part 1
Cryptography
of watermarks
Readable even if attacked
Damaged if attacked
209
Watermark Examples
Add robust invisible mark to digital music
o If pirated music appears on Internet, can trace
it back to original source of the leak
Add fragile invisible mark to audio file
o If watermark is unreadable, recipient knows
that audio has been tampered with (integrity)
Combinations of several types are

sometimes used
o E.g., visible plus robust invisible watermarks
Part 1
Cryptography
210
Watermark Example (1)

Non-digital
Image
watermark: U.S. currency
embedded in paper on rhs
o Hold bill to light to see embedded info
Part 1
Cryptography
211
Watermark Example (2)

Add
invisible watermark to photo

Claim is that 1 inch2 contains enough
info to reconstruct entire photo
If photo is damaged, watermark can
be used to reconstruct it!
Part 1
Cryptography
212
Steganography
According to Herodotus (Greece 440 BC)

o
o
o
o
o
Shaved slaves head

Wrote message on head
Let hair grow back
Send slave to deliver message
Shave slaves head to expose a message
warning of Persian invasion
Historically, steganography used by

military more often than cryptography
Part 1
Cryptography
213
Images and Steganography
Images use 24 bits for color: RGB

o 8 bits for red, 8 for green, 8 for blue
For example
o 0x7E 0x52 0x90 is this color

o 0xFE 0x52 0x90 is this color
While
o 0xAB 0x33 0xF0 is this color

o 0xAB 0x33 0xF1 is this color
Low-order bits dont matter
Part 1
Cryptography
214
Images and Stego
Given an uncompressed image file

o For example, BMP format
we can insert information into low-order

RGB bits
Since low-order RGB bits dont matter,
changes will be invisible to human eye
o But, computer program can see the bits
Part 1
Cryptography
215
Stego Example 1
Left side: plain Alice image

Right side: Alice with entire Alice in
Wonderland (pdf) hidden in the image
Part 1
Cryptography
216
Non-Stego Example
Walrus.html in web browser
View source reveals:
"The time has come," the Walrus

said, 
"To talk of many things: 
Of shoes and ships and sealing wax
 
Of cabbages and kings 
And why the sea is boiling hot
 
Part 1 Cryptography
And whether pigs have wings."
217
Stego Example 2
stegoWalrus.html in web browser
View source reveals:
"The time has come," the Walrus

said, 
"To talk of many things: 
Of shoes and ships and sealing wax
 
Of cabbages and kings 
And why the sea is boiling hot
Hidden
 message: 011 010 100 100 000
And whether pigs have wings."
Part 
1 Cryptography
101
218
Steganography
Some formats (e.g., image files) are more

difficult than html for humans to read
o But easy for computer programs to read
Easy to hide info in unimportant bits

Easy to damage info in unimportant bits
To be robust, must use important bits
o But stored info must not damage data

o Collusion attacks are also a concern
Robust steganography is tricky!
Part 1
Cryptography
219
Information Hiding:
The Bottom Line
Not-so-easy to hide digital information
o Obvious approach is not robust

o Stirmark: tool to make most watermarks in
images unreadable without damaging the image

o Stego/watermarking are active research topics
If information hiding is suspected

o Attacker may be able to make
information/watermark unreadable
o Attacker may be able to read the information,
given the original document (image, audio, etc.)
Part 1
Cryptography
220
Chapter 6:
Advanced Cryptanalysis
For there is nothing covered, that shall not be revealed;
neither hid, that shall not be known.
Luke 12:2
The magic words are squeamish ossifrage
Solution to RSA challenge problem
posed in 1977 by Ron Rivest, who
estimated that breaking the message
would require 40 quadrillion years.
It was broken in 1994.
Part 1
Cryptography
221
Advanced Cryptanalysis
Modern
block cipher cryptanalysis
o Differential cryptanalysis
o Linear cryptanalysis
Side
channel attack on RSA

Lattice reduction attack on knapsack
Hellmans TMTO attack on DES
Part 1
Cryptography
222
Linear and Differential

Cryptanalysis
Part 1
Cryptography
223
Introduction
Both linear and differential cryptanalysis
developed to attack DES
Applicable to other block ciphers
Differential
Biham and Shamir, 1990
o Apparently known to NSA in 1970s

o For analyzing ciphers, not a practical attack
o A chosen plaintext attack
Linear cryptanalysis
Matsui, 1993
o Perhaps not know to NSA in 1970s

o Slightly more feasible than differential
o A known plaintext attack
Part 1
Cryptography
224
DES Overview
Linear stuff
XOR
Ki subkey
S-boxes
8 S-boxes
Each S-box maps
6 bits to 4 bits
Example: S-box 1
input bits (0,5)
input bits (1,2,3,4)

|0123456789ABCDEF
Linear stuff
R
Part 1
Cryptography
0|E4D12FB83A6C5907
1|0F74E2D1A6CB9534
2|41E8D62BFC973A50
3|FC8249175B3EA06D
225
Overview of Differential
Cryptanalysis
Part 1
Cryptography
226
Differential Cryptanalysis
Recall that all of DES is linear except for
the S-boxes
Differential attack focuses on overcoming
this nonlinearity
Idea is to compare input and output
differences
For simplicity, first consider only one
round and only one S-box
Part 1
Cryptography
227
Suppose a cipher has 3-bit to 2-bit S-box

row
0
1
00
10
00
column
01 10 11
01 11 00
10 01 11
Sbox(abc) is element in row a column bc

Example: Sbox(010) = 11
Part 1
Cryptography
228
row
0
1
00
10
00
column
01 10 11
01 11 00
10 01 11
Suppose X1 = 110, X2 = 010, K = 011
Then X1 K = 101 and X2 K = 001
Sbox(X1 K) = 10 and Sbox(X2 K) =

01
Part 1
Cryptography
229
row
0
1
00
10
00
column
01 10 11
01 11 00
10 01 11
Differential
Cryptanalysis
Suppose
o Unknown key: K
o Known inputs: X = 110, X = 010
o Known outputs: Sbox(X K) = 10, Sbox(X
K) = 01
Know X K {000,101}, X K
{001,110}
Then K {110,011} {011,100} K =
011
Part 1 Cryptography
230
Like a known plaintext attack on S-box
Attacking one S-box not very useful!

o
1.
To make this work we must do 2 things

Extend the attack to one round
o
o
2.
And Trudy cant always see input and output
Have to deal with all S-boxes

Choose input so only one S-box active
Then extend attack to (almost) all rounds

o
o
Part 1
Output of one round is input to next round

Choose input so output is good for next round
Cryptography
231
We deal with input and output differences
Suppose we know inputs X and X
o
o
o
o
For X the input to S-box is X K

For X the input to S-box is X K
Key K is unknown
Input difference: (X K) (X K) = X X
Input difference is independent of key K

Output difference: Y Y is (almost) input
difference to next round
Goal is to chain differences thru rounds
Part 1
Cryptography
232
If we obtain known output difference from

known input difference
o May be able to chain differences thru rounds
o Its OK if this only occurs with some probability
If input difference is 0
o output difference is 0
o Allows us to make some S-boxes inactive with
respect to differences
Part 1
Cryptography
233
S-box
Differential
Analysis
Input diff
000 not
interesting
Input diff 010
always gives
output diff 01
More biased,
the better (for
Trudy)
Part 1
Cryptography
row
0
1
00
10
00
column
01 10 11
01 11 00
10 01 11
Sbox(X) Sbox(X)
00 01 10 11
000 8
0
0
0
001 0
0
4
4
010 0
8
0
X
0
011
X
100
101
110
111
0
0
4
0
4
0
0
4
0
4
4
4
0
4
0
4
4
0
4
0234
Overview of Linear
Cryptanalysis
Part 1
Cryptography
235
Linear Cryptanalysis
Like differential cryptanalysis, we target
the nonlinear part of the cipher
But instead of differences, we approximate
the nonlinearity with linear equations
For DES-like cipher we need to
approximate S-boxes by linear functions
How well can we do this?
Part 1
Cryptography
236
column
01 10 11
01 11 00
10 01 11
S-box
Linear
Analysis
row
0
1
Input x0x1x2
where x0 is row
and x1x2 is
column
Output y0y1
Count of 4 is
unbiased
Count of 0 or 8
1 Cryptography
is Part
best
for
output
y0
y1 y0y1
0
4
4
4
i
x0 4
4
4
n
x1 4
6
2
p
x2 4
4
4
u x0x1
4
2
2
t x0x2
0
4
4
x1x2
4
6
6
x0x1x2
4
6
2
237
00
10
00
Linear
Analysis
For example,
y1 = x1
with prob. 3/4
And
y0 = x0x21
with prob. 1
And
y0y1=x1x2
with prob. 3/4
Part 1
Cryptography
row
0
1
00
10
00
column
01 10 11
01 11 00
10 01 11
output
y0
y1 y0y1
0
4
4
4
i
x0 4
4
4
n
x1 4
6
2
p
x2 4
4
4
u x0x1
4
2
2
t x0x2
0
4
4
x1x2
4
6
6
x0x1x2
4
6
2
238
Linear Cryptanalysis
Consider a single DES S-box
Let Y = Sbox(X)
Suppose y3 = x2 x5 with high probability
o I.e., a good linear approximation to output y3
Can we extend this so that we can solve

linear equations for the key?
As in differential cryptanalysis, we need to
chain thru multiple rounds
Part 1
Cryptography
239
Linear Cryptanalysis of DES

DES is linear except for S-boxes
How well can we approximate S-boxes with
linear functions?
DES S-boxes designed so there are no good
linear approximations to any one output bit
But there are linear combinations of output
bits that can be approximated by linear
combinations of input bits
Part 1
Cryptography
240
Tiny DES
Part 1
Cryptography
241
Tiny DES (TDES)
A much simplified version of DES

o
o
o
o
o
16 bit block
16 bit key
4 rounds
2 S-boxes, each maps 6 bits to 4 bits
12 bit subkey each round
Plaintext = (L0, R0)

Ciphertext = (L4, R4)
No useless junk
Part 1
Cryptography
242
key
R
8
expand
8
shift
12
shift
8
Ki
XOR
6
compress
12
8
SboxLeft SboxRight
One
Round
of
TDES
4
XOR
8
Part 1
Cryptography
key
243
TDES Fun Facts

TDES is a Feistel Cipher
(L0,R0) = plaintext
For i = 1 to 4
Li = Ri-1
Ri = Li-1 F(Ri-1, Ki)
Ciphertext = (L4,R4)
F(Ri-1, Ki) = Sboxes(expand(Ri-1) Ki)
where Sboxes(x0x1x2x11) =
(SboxLeft(x0x1x5), SboxRight(x6x7x11))
Part 1
Cryptography
244
TDES Key Schedule

Key: K = k0k1k2k3k4k5k6k7k8k9k10k11k12k13k14k15
Subkey
o Left: k0k1k7 rotate left 2, select 0,2,3,4,5,7
o Right: k8k9k15 rotate left 1, select 9,10,11,13,14,15
Subkey
Subkey
Subkey
Subkey
Part 1
K1
K2
K3
K4
=
=
=
=
Cryptography
k2k4k5k6k7k1k10k11k12k14k15k8
245
TDES expansion perm
Expansion permutation: 8 bits to 12 bits
r0r1r2r3r4r5r6r
7
r4r7r2r1r5r7r0r2r6r5r0r3
We can write this as

expand(r0r1r2r3r4r5r6r7) =
r4r7r2r1r5r7r0r2r6r5r0r3
Part 1
Cryptography
246
TDES S-boxes
0123456789ABCDEF
0C50AE728D4396F1B
11C963EB2F845DA07
2FAE6D824179035BC
30A3C821E97F6B5D4
Left S-box
SboxLeft
Part 1
Right S-box
SboxRight
0123456789ABCDEF
069A34D78E12B5CF0
19EBA45078632CD1F
281C2D3EF095A4B67
39025AD6E18BC347F
Cryptography
247
Differential Cryptanalysis of
TDES
Part 1
Cryptography
248
TDES
TDES SboxRight
0123456789ABCDEF
0C50AE728D4396F1B
11C963EB2F845DA07
2FAE6D824179035BC
30A3C821E97F6B5D4
For X and X suppose X X = 001000

Then SboxRight(X) SboxRight(X) =
0010 with probability 3/4
Part 1
Cryptography
249
Differential Crypt. of TDES

The game plan
Select P and P so that
P P = 0000 0000 0000 0010 =
0x0002
Note that P and P differ in exactly 1 bit
Lets carefully analyze what happens as
these plaintexts are encrypted with TDES
Part 1
Cryptography
250
TDES
If Y Y = 001000 then with probability
3/4 SboxRight(Y) SboxRight(Y) = 0010
Y Y = 001000 (YK) (YK) =
001000
If Y Y = 000000 then for any S-box, we
have Sbox(Y) Sbox(Y) = 0000
Difference of (0000 0010) is expanded by
TDES expand perm to diff. (000000
001000)
The bottom line: If X X = 00000010
then F(X, K) F(X, K) = 00000010 with
Partprob.
1 Cryptography
251
3/4
TDES
From
the previous slide
o Suppose R R = 0000 0010

o Suppose K is unknown key
o Then with probability 3/4
F(R,K) F(R,K) = 0000 0010

The
bottom line? With probability 3/4
o Input to next round same as current round
So
Part 1
we can chain thru multiple rounds
Cryptography
252
TDES Differential Attack
Select P and P with P P = 0x0002
(L0,R0) = P
(L0,R0) = P
P P = 0x0002
L1 = R0
R1 = L0 F(R0,K1)
L1 = R0
R1 = L 0
F(R0,K1)
With probability 3/4

(L1,R1) (L1,R1) =
0x0202
L2 = R1
R2 = L 1
F(R1,K2)
With probability (3/4)2

(L2,R2) (L2,R2) =
0x0200
L2 = R1
R2 = L1 F(R1,K2)
L3 = R2
R3 = L2 F(R2,K3)
L4 = R3
R4 = L3 F(R3,K4)
L3 = R2
R3 = L 2
F(R2,K3)
C = (L
Part
1 4) Cryptography L = R
4,R
4
3
R =L

(L3,R3) (L3,R3) =
0x0002
253
(L4,R4) (L4,R4) =

Choose P and P with P P = 0x0002
If C C = 0x0202 then
R4 = L3 F(R3, K4)
R4 = L3 F(L4, K4)
R4 = L3 F(R3, K4)
R4 = L3 F(L4, K4)
and (L3, R3) (L3, R3) = 0x0002

Then L3 = L3 and C=(L4, R4) and C=(L4, R4)
are both known
Since L3 = R4 F(L4, K4) and L3 = R4 F(L4,
K4), for correct choice of subkey K4 we have
R4 F(L4, K4) = R4 F(L4, K4)
Part 1
Cryptography
254

If C C = (L4, R4) (L4, R4) = 0x0202
Then for the correct subkey K4
R4 F(L4, K4) = R4 F(L4, K4)
which we rewrite as
R4 R4 = F(L4, K4) F(L4, K4)
where the only unknown is K4
Let L4 = l0l1l2l3l4l5l6l7. Then we have
0010 = SBoxRight( l0l2l6l5l0l3
k13k14k15k9k10k11)
SBoxRight( l0l2l6l5l0l3
Part 1 Cryptography
k13k14k15k9k10k11)
255

Algorithm to find right 6 bits of subkey K4
count[i] = 0, for i = 0,1,. . .,63
for i = 1 to iterations
Obtain corresponding C and C
if C C = 0x0202
for K = 0 to 63
if 0010 == (SBoxRight( l0l2l6l5l0l3 K)
SBoxRight( l0l2l6l5l0l3 K))
++count[K]
end if
next K
end if
next i
PartK
1 with
Cryptography
All
max count[K] are possible (partial)256K4

Experimental results
Choose 100 pairs P and P with P P=
0x0002
Found 47 of these give C C = 0x0202
Tabulated counts for these 47
o Max count of 47 for each
K {000001,001001,110000,111000}
o No other count exceeded 39
Implies that K4 is one of 4 values, that is,

k13k14k15k9k10k11
{000001,001001,110000,111000}
Actual key is K=1010 1001 1000 0111
Part 1
Cryptography
257
Linear Cryptanalysis of
TDES
Part 1
Cryptography
258
Linear Approx. of Left S-Box
TDES left S-box or SboxLeft

0123456789ABCDEF
069A34D78E12B5CF0
19EBA45078632CD1F
281C2D3EF095A4B67
39025AD6E18BC347F
Notation: y0y1y2y3 = SboxLeft(x0x1x2x3x4x5)

For this S-box, y1=x2 and y2=x3 both with
probability 3/4
Can we chain this thru multiple rounds?
Part 1
Cryptography
259
TDES Linear Relations
Recall that the expansion perm is

expand(r0r1r2r3r4r5r6r7) = r4r7r2r1r5r7r0r2r6r5r0r3
And y0y1y2y3 = SboxLeft(x0x1x2x3x4x5) with y1=x2
and y2=x3 each with probability 3/4
Also, expand(Ri1) Ki is input to Sboxes at

round i
Then y1=r2km and y2=r1kn both with prob 3/4
New right half is y0y1y2y3 plus old left half
Bottom line: New right half bits: r1 r2 km l1

and r2 r1 kn l2 both with probability 3/4
Part 1
Cryptography
260
Recall TDES Subkeys
Key: K = k0k1k2k3k4k5k6k7k8k9k10k11k12k13k14k15
Subkey K1 = k2k4k5k6k7k1k10k11k12k14k15k8
Part 1
Cryptography
261
TDES Linear Cryptanalysis
Known P=p0p1p2p15 and C=c0c1c2c15
(L0,R0) = (p0p7,p8
p15)
L1 = R0
R1 = L0 F(R0,K1)
L2 = R1
R2 = L1 F(R1,K2)
L3 = R2
R3 = L2 F(R2,K3)
L4 = R3
R4 = L3 F(R3,K4)
Part 1
C = (L ,R )
Cryptography
Bit 1, Bit 2
(numbering from 0)
p9, p10
p1p10k5, p2p9k6
probability
p1p10k5, p2p9k6
p2k6k7, p1k5k0
3/4
(3/4)2
p2k6k7, p1k5k0
p10k0k1, p9k7k2
(3/4)2
(3/4)3
1
3/4
(3/4)3
p10k0k1, p9k7k2
k0 k1 = c1 p10
(3/4)3
k7 k2 = c2 p9
(3/4)3
262
TDES Linear Cryptanalysis
Experimental results
Use 100 known plaintexts, get ciphertexts.
o Let P=p0p1p2p15 and let C=c0c1c2c15
Resulting counts
o
o
o
o
c1
c1
c2
c2
p10 = 0 occurs 38 times

Conclusions
o Since k0 k1 = c1 p10 we have k0 k1 = 1

o Since k7 k2 = c2 p9 we have k7 k2 = 0
Actual key is K = 1010 0011 0101 0110
Part 1
Cryptography
263
To Build a Better Block Cipher

How can cryptographers make linear and
differential attacks more difficult?
1. More rounds
success probabilities diminish
with each round

2. Better confusion (S-boxes) reduce success
probability on each round
3. Better diffusion (permutations) more
difficult to chain thru multiple rounds
Part 1
Limited mixing and limited nonlinearity,

means that more rounds required: TEA
Strong mixing and nonlinearity, then
fewer (but more complex) rounds: AES
Cryptography
264
Side Channel Attack on RSA
Part 1
Cryptography
265
Side Channel Attacks

Sometimes possible to recover key without
directly attacking the crypto algorithm
A side channel consists of incidental info
Side channels can arise due to
o The way that a computation is performed

o Media used, power consumed, emanations, etc.
Induced faults can also reveal information

Side channel may reveal a crypto key
Paul Kocher one of the first in this field
Part 1
Cryptography
266
Types of Side Channels
Emanations security (EMSEC)
o Electromagnetic field (EMF) from computer screen can
allow screen image to be reconstructed at a distance

o Smartcards have been attacked via EMF emanations
Differential power analysis (DPA)
o Smartcard power usage depends on the computation
Differential fault analysis (DFA)
o Key stored on smartcard in GSM system could be read
using a flashbulb to induce faults
Timing analysis
o Different computations take different time

o RSA keys recovered over a network (openSSL)!
Part 1
Cryptography
267
The Scenario
Alices public key: (N,e)
Alices private key: d
Trudy wants to find d
Trudy can send any message M to Alice and
Alice will respond with Md mod N
o That is, Alice signs M and sends result to Trudy
Trudy can precisely time Alices

computation of Md mod N
Part 1
Cryptography
268
Timing Attack on RSA
Consider Md mod N
We want to find private
key d, where d = d0d1
dn
Spse repeated squaring
used for Md mod N
Suppose, for efficiency
mod(x,N)
if x >= N
x=x%N
end if
return x
Part 1
Cryptography
Repeated
Squaring
x=M
for j = 1 to n
x = mod(x2,N)
if dj == 1 then
x=
mod(xM,N)
end if
next j
return x
269
Timing Attack
If dj = 0 then
o x = mod(x2,N)
If dj = 1 then
o x = mod(x ,N)
o x = mod(xM,N)
2
Computation time
differs in each case
Can attacker take
advantage of this?
Part 1
Cryptography
Repeated
Squaring
x=M
for j = 1 to n
x = mod(x2,N)
if dj == 1 then
x = mod(xM,N)
end if
next j
return x
mod(x,N)
if x >= N
x=x%N
end if
return x
270
Timing Attack
Choose M with M3 < N

Choose M with M2 < N < M3
Let x = M and x = M
Consider j = 1
o x = mod(x2,N) does no %
o x = mod(xM,N) does no %
o x = mod(x2,N) does no %
o
x = mod(xM,N)
d1=1
does % only if
If d1 = 1 then j = 1 step
takes longer for M than for M
But more than one round
Part 1
Cryptography
Repeated
Squaring
x=M
for j = 1 to n
x = mod(x2,N)
if dj == 1 then
x = mod(xM,N)
end if
next j
return x
mod(x,N)
if x >= N
x=x%N
end if
return x
271
Timing Attack on RSA

An example of a chosen plaintext attack
Choose M0,M1,,Mm-1 with
o Mi3 < N for i=0,1,,m-1
Let ti be time to compute Mid mod N

o t = (t0 + t1 + + tm-1) / m
Choose M0,M1,,Mm-1 with
o Mi2 < N < Mi3 for i=0,1,,m-1
Let ti be time to compute Mid mod N

o t = (t0 + t1 + + tm-1) / m
If t > t then d1 = 1 otherwise d1 = 0

Once d1 is known, find d2 then d3 then
Part 1
Cryptography
272
Side Channel Attacks

If crypto is secure Trudy looks for shortcut
What is good crypto?
o More than mathematical analysis of algorithms

o Many other issues (such as side channels) must
be considered
o See Schneiers article
Lesson: Attackers dont play by the rules!
Part 1
Cryptography
273
Knapsack Lattice Reduction

Attack
Part 1
Cryptography
274
Lattice?
Many
problems can be solved by

finding a short vector in a lattice
Let b1,b2,,bn be vectors in m
All
1b1+2b2++nbn, each i is an
integer is a discrete set of points
Part 1
Cryptography
275
What is a Lattice?
Suppose b1=[1,3]T and b2=[2,1]T
Then any point in the plane can be written
as 1b1+2b2 for some 1,2
o Since b1 and b2 are linearly independent
We say the plane 2 is spanned by (b1,b2)

If 1,2 are restricted to integers, the
resulting span is a lattice
Then a lattice is a discrete set of points
Part 1
Cryptography
276
Lattice Example
Suppose
b1=[1,3]T and
b2=[2,1]T
The lattice
spanned by
(b1,b2) is
pictured to the
right
Part 1
Cryptography
277
Exact Cover
Exact
cover given a set S and a

collection of subsets of S, find a
collection of these subsets with each
element of S is in exactly one subset
Exact cover is can be solved by
finding a short vector in a lattice
Part 1
Cryptography
278
Exact Cover Example

Set S = {0,1,2,3,4,5,6}
Spse m = 7 elements and n = 13 subsets
Subset:
0
1
2
3
4
5
6
7
8
9 10 11
12
Elements: 013 015 024 025 036 124 126 135 146 1 256
345 346
Find a collection of these subsets with each

element of S in exactly one subset
Could try all 213 possibilities
If problem is too big, try heuristic search
Many different heuristic search techniques
Part 1
Cryptography
279
Exact Cover Solution

Exact cover in matrix form
o Set S = {0,1,2,3,4,5,6}
o Spse m = 7 elements and n = 13 subsets
e
l
e
m
e
n
t
s
Subset:
0
1
2
3
4
5
6
7
8
9 10
11 12
Elements: 013 015 024 025 036 124 126 135 146 1 256
345subsets
346
Solve: AU = B
where ui {0,1}
Solution:
U = [0001000001001]T
mx1
mxn
Part 1
Cryptography
nx1
280
Example
We can restate AU = B as MV = W where
Matrix M
Vector V Vector W
The desired solution is U
o Columns of M are linearly independent
Let c0,c1,c2,,cn be the columns of M
Let v0,v1,v2,,vn be the elements of V
Then W = v0c0 + v1c1 + + vncn
Part 1
Cryptography
281
Example
Let
L be the lattice spanned by

c0,c1,c2,,cn (ci are the columns of M)
Recall
MV = W
o Where W = [U,0]T and we want to find U

o But if we find W, weve also solved it!
Note
W is in lattice L since all vi are

integers and W = v0c0 + v1c1 + +
vncn
Part 1
Cryptography
282
Facts
W = [u0,u1,,un-1,0,0,,0] L, each ui
{0,1}
The length of a vector Y N is
||Y|| = sqrt(y02+y12++yN-12)
Then the length of W is
||W|| = sqrt(u02+u12++un-12) sqrt(n)
So W is a very short vector in L where
o First n entries of W all 0 or 1

o Last m elements of W are all 0
Can we use these facts to find U?
Part 1
Cryptography
283
Lattice Reduction
If we can find a short vector in L, with first

n entries all 0 or 1 and last m entries all 0
o Then we might have found solution U
LLL lattice reduction algorithm will

efficiently find short vectors in a lattice
About 30 lines of pseudo-code specify LLL
No guarantee LLL will find desired vector
But probability of success is often good
Part 1
Cryptography
284
Knapsack Example
What does lattice reduction have to do with
the knapsack cryptosystem?
Suppose we have
o Superincreasing knapsack
S = [2,3,7,14,30,57,120,251]
o Suppose m = 41, n = 491 m1 = 12 mod n
o Public knapsack: ti = 41 si mod 491
T = [82,123,287,83,248,373,10,471]
Public key: T
Part 1
Cryptography
Private key: (S,m1,n)

285
Knapsack Example
Public key: T
Private key: (S,m1,n)
S = [2,3,7,14,30,57,120,251]
T = [82,123,287,83,248,373,10,471]
n = 491, m1 = 12
Example: 10010110 is encrypted as
82+83+373+10 = 548
Then receiver computes
548 12 = 193 mod 491
and uses S to solve for 10010110
Part 1
Cryptography
286
Knapsack LLL Attack

Attacker
knows public key
T = [82,123,287,83,248,373,10,471]
Attacker
knows ciphertext: 548

Attacker wants to find ui {0,1} s.t.
82u0+123u1+287u2+83u3+248u4+373u5+10u6+471
u7=548
This
can be written as a matrix equation

(dot product): T U = 548
Part 1
Cryptography
287
Knapsack LLL Attack
Attacker knows: T =
[82,123,287,83,248,373,10,471]
Wants to solve: T U = 548 where each ui
{0,1}
o Same form as AU = B on previous slides!
o We can rewrite problem as MV = W where
LLL gives us short vectors in the lattice spanned by

the columns of M
Part 1
Cryptography
288
LLL Result
LLL finds short vectors in lattice of M
Matrix M is result of applying LLL to M
Column marked with has the right form

Possible solution: U = [1,0,0,1,0,1,1,0]T
Easy to verify this is actually the plaintext
Part 1
Cryptography
289
Bottom Line
Lattice
reduction is a surprising
method of attack on knapsack
A cryptosystem is only secure as long
as nobody has found an attack
Lesson: Advances in mathematics
can break cryptosystems!
Part 1
Cryptography
290
Hellmans TMTO Attack
Part 1
Cryptography
291
Popcnt
Before we consider Hellmans attack,
consider a simple Time-Memory TradeOff
Population count or popcnt
o Let x be a 32-bit integer

o Define popcnt(x) = number of 1s in binary
expansion of x
o How to compute popcnt(x) efficiently?
Part 1
Cryptography
292
Simple Popcnt
Most
obvious thing to do is
popcnt(x) // assuming x is 32-bit value
t=0
for i = 0 to 31
t = t + ((x >> i) & 1)
next i
return t
end popcnt
But is it the most efficient?
Part 1
Cryptography
293
More Efficient Popcnt

Precompute
popcnt for all 256 bytes

Store precomputed values in a table
Given x, lookup its bytes in this table
o Sum these values to find popcnt(x)
Note
that precomputation is done once

Each popcnt now requires 4 steps, not 32
Part 1
Cryptography
294
More Efficient Popcnt

Initialize: table[i] = popcnt(i) for i = 0,1,,255
popcnt(x) // assuming x is 32-bit value
p = table[ x & 0xff ]
+ table[ (x >> 8) & 0xff ]
+ table[ (x >> 16) & 0xff ]
+ table[ (x >> 24) & 0xff ]
return p
end popcnt
Part 1
Cryptography
295
TMTO Basics
A precomputation
o One-time work
o Results stored in a table
Precomputation results used to make each

subsequent computation faster
Balancing memory and time
In general, larger precomputation requires
more initial work and larger memory but
each subsequent computation is less time
Part 1
Cryptography
296
Block Cipher Notation

Consider
a block cipher
C = E(P, K)
where
P is plaintext block of size n
C is ciphertext block of size n
K is key of size k
Part 1
Cryptography
297
Block Cipher as Black Box
For TMTO, treat block cipher as black box

Details of crypto algorithm not important
Part 1
Cryptography
298
Hellmans TMTO Attack
Chosen plaintext attack: choose P and

obtain C, where C = E(P, K)
Want to find the key K
Two obvious approaches
1.
2.
Exhaustive key search
Memory is 0, but time of 2k-1 for each attack
Pre-compute C = E(P, K) for all possible K
Then given C, can simply look up key K in the table

Memory of 2k but time of 0 for each attack
TMTO lies between 1. and 2.
Part 1
Cryptography
299
Chain of Encryptions
Assume block and key lengths equal: n = k

Then a chain of encryptions is
SP = K0 =Starting Point
K1 = E(P, SP)
K2 = E(P, K1)
:
:
EP = Kt = E(P, Kt1) =End Point

Part 1
Cryptography
300
Encryption Chain
Part 1
Ciphertext used as key at next iteration

Same (chosen) plaintext at each iteration
Cryptography
301
Pre-computation
Pre-compute
m encryption chains, each

of length t +1
Save only the start and end points
(SP0, EP0) SP
EP0
(SP1, EP1)
:
(SPm-1, EPm-1)
Part 1
Cryptography
EP1
SP1
EPm-1
SPm-1
302
TMTO Attack
Memory: Pre-compute encryption chains and

save (SPi, EPi) for i = 0,1,,m1
o This is one-time work
Then to attack a particular unknown key K

o For the same chosen P used to find chains, we
know C where C = E(P, K) and K is unknown key

o Time: Compute the chain (maximum of t steps)
X0 = C, X1 = E(P, X0), X2 = E(P, X1),
Part 1
Cryptography
303
TMTO Attack
Consider
the computed chain

X0 = C, X1 = E(P, X0), X2 = E(P, X1),
Suppose
for some i we find Xi = EPj

C
SPj
EPj
Since
Part 1
C = E(P, K) key K before C in chain!
Cryptography
304
TMTO Attack
To summarize, we compute chain

X0 = C, X1 = E(P, X0), X2 = E(P, X1),
If for some i we find Xi = EPj
Then reconstruct chain from SPj

Y0 = SPj, Y1 = E(P,Y0), Y2 = E(P,Y1),
Find C = Yti = E(P, Yti1) (always?)
Then K = Yti1 (always?)
Part 1
Cryptography
305
Trudys Perfect World

Suppose block cipher has k = 56
That is, the key length is 56 bits
Suppose we find m = 228 chains, each of

length t = 228 and no chains overlap
Memory: 228 pairs (SPj, EPi)
Time: about 228 (per attack)
o
o
Start at C, find some EPj in about 227 steps

Find K with about 227 more steps
Attack never fails

Part 1
Cryptography
306
Trudys Perfect World

No
chains overlap
Any ciphertext C is in some chain
SP0
EP0
C
SP1
K
EP2
SP2
Part 1
EP1
Cryptography
307
The Real World

Chains
are not so well-behaved!

Chains can cycle and merge
K
C
EP
SP
Chain
from C goes to EP
Chain from SP to EP does not contain K
Is this Trudys nightmare?
Part 1
Cryptography
308
Real-World TMTO Issues

Merging, cycles, false alarms, etc.
Pre-computation is lots of work
o Must attack many times to make it worthwhile
Success is not assured
o Probability depends on initial work
What if block size not equal key length?

o This is easy to deal with
What is the probability of success?

o This is not so easy to compute
Part 1
Cryptography
309
To Reduce Merging
Compute chain as F(E(P, Ki1)) where F
permutes the bits
Chains computed using different functions
can intersect, but they will not merge
SP0
SP1
Part 1
Cryptography
F0 chain
F1 chain
EP1
EP0
310
Hellmans TMTO in Practice
Let
o m = random starting points for each F

o t = encryptions in each chain
o r = number of random functions F
Then mtr = total precomputed chain elements

Pre-computation is O(mtr) work
Each TMTO attack requires
o O(mr) memory and O(tr) time
If we choose m = t = r = 2k/3 then
o Probability of success is at least 0.55
Part 1
Cryptography
311
TMTO: The Bottom Line

Attack is feasible against DES
Pre-computation is about 256 work
Each attack requires about
o 237 memory
o 237 time
Attack is not particular to DES

No fancy math is required!
Lesson: Clever algorithms can break crypto!
Part 1
Cryptography
312
Crypto Summary
Terminology
Symmetric
key crypto
o Stream ciphers
A5/1 and RC4
o Block ciphers
DES, AES, TEA

Modes of operation
Integrity
Part 1
Cryptography
313
Crypto Summary
Public
o
o
o
o
o
o
Part 1
key crypto
Knapsack
RSA
Diffie-Hellman
ECC
Non-repudiation
PKI, etc.
Cryptography
314
Crypto Summary
Hashing
o Birthday problem
o Tiger hash
o HMAC
Secret
sharing
Random numbers
Part 1
Cryptography
315
Crypto Summary
Information
hiding
o Steganography
o Watermarking
Cryptanalysis
o
o
o
o
Part 1
Linear and differential cryptanalysis

RSA timing attack
Knapsack attack
Hellmans TMTO
Cryptography
316
Coming Attractions
Access
Control
o Authentication -- who goes there?

o Authorization -- can you do that?
Well
see some crypto in next chapter

Well see lots of crypto in protocol
chapters
Part 1
Cryptography
317

1 Crypto

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1 Crypto

Uploaded by

Copyright:

Available Formats

Part I: Crypto

Chapter 2: Crypto Basics

plaintext from Lewis Carroll, Alice in Wonderland

The solution is by no means so difficult as you might

The art and science of

How to Speak Crypto

o The system is completely known to the attacker

This is known as Kerckhoffs Principle

o Experience has shown that secret algorithms

tend to be weak when exposed

Crypto as Black Box

A generic view of symmetric key crypto

Ceasars Cipher Decryption

we know a Caesars cipher is

by n for some n {0,1,2,

Cryptanalysis I: Try Them All

A simple substitution (shift by n) is used

Given ciphertext: CSYEVIXIVQMREXIH

Simple Substitution: General Case

In general, simple substitution key can be

Then 26! > 288 possible keys

Cryptanalysis II: Be Clever

Analyze this message using statistics below

Ciphertext frequency counts:

is secure if best know

One-Time Pad: Encryption

Encryption: Plaintext Key = Ciphertext

One-Time Pad: Decryption

Decryption: Ciphertext Key = Plaintext

One-Time Pad Summary

o Ciphertext provides no info about plaintext

BUT, only when be used correctly

o Pad must be random, used only once

Note: pad (key) is same size as message

Real-World One-Time Pad

30s, 40s, and 50s

Spy carried one-time pad into U.S.

VENONA Decrypt (1944)

Ruth == Ruth Greenglass

Modern block ciphers are codebooks!

Codebook Cipher: Additive

also (usually) use additive

Encrypt message with codebook

use an additive sequence?

Random Historical Items

Rutherfraud Hayes vs Swindling Tilden

Electoral college delegations for 4 states

o Voted on straight party lines

Tilden accused Hayes of bribery

Early 20th Century

o Henry L. Stimson, Secretary of State, 1929

golden age of cryptanalysis

obscure relationship between

Proved one-time pad is secure

o Same key for encryption and decryption

Public Key (or asymmetric crypto)

o Two keys, one for encryption (public), and one

for decryption (private)

o Can be viewed as one way crypto

From perspective of info available to Trudy

Trudys worst case scenario

Symmetric Key Crypto